1SS(8) System Manager's Manual SS(8)
2
6 ss - another utility to investigate sockets
7
9 ss [options] [ FILTER ]
10
12 ss is used to dump socket statistics. It allows showing information
13 similar to netstat. It can display more TCP and state information than
14 other tools.
15
18 When no option is used ss displays a list of open non-listening sockets
19 (e.g. TCP/UNIX/UDP) that have established connection.
20 -h, --help
22 Show summary of options.
23 -V, --version
25 Output version information.
26 -H, --no-header
28 Suppress header line.
29 -O, --oneline
31 Print each socket's data on a single line.
32 -n, --numeric
34 Do not try to resolve service names. Show exact bandwidth val‐
35 ues, instead of human-readable.
36 -r, --resolve
38 Try to resolve numeric address/ports.
39 -a, --all
41 Display both listening and non-listening (for TCP this means es‐
42 tablished connections) sockets.
43 -l, --listening
45 Display only listening sockets (these are omitted by default).
46 -o, --options
48 Show timer information. For TCP protocol, the output format is:
49 timer:(<timer_name>,<expire_time>,<retrans>)
51 <timer_name>
53 the name of the timer, there are five kind of timer
54 names:
55 on : means one of these timers: TCP retrans timer, TCP
57 early retrans timer and tail loss probe timer
58 keepalive: tcp keep alive timer
60 timewait: timewait stage timer
62 persist: zero window probe timer
64 unknown: none of the above timers
66 <expire_time>
68 how long time the timer will expire
69 <retrans>
71 how many times the retransmission occurred
72 -e, --extended
74 Show detailed socket information. The output format is:
75 uid:<uid_number> ino:<inode_number> sk:<cookie>
77 <uid_number>
79 the user id the socket belongs to
80 <inode_number>
82 the socket's inode number in VFS
83 <cookie>
85 an uuid of the socket
86 -m, --memory
88 Show socket memory usage. The output format is:
89 skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
91 f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
92 bl<back_log>,d<sock_drop>)
93 <rmem_alloc>
95 the memory allocated for receiving packet
96 <rcv_buf>
98 the total memory can be allocated for receiving packet
99 <wmem_alloc>
101 the memory used for sending packet (which has been sent
102 to layer 3)
103 <snd_buf>
105 the total memory can be allocated for sending packet
106 <fwd_alloc>
108 the memory allocated by the socket as cache, but not used
109 for receiving/sending packet yet. If need memory to
110 send/receive packet, the memory in this cache will be
111 used before allocate additional memory.
112 <wmem_queued>
114 The memory allocated for sending packet (which has not
115 been sent to layer 3)
116 <opt_mem>
118 The memory used for storing socket option, e.g., the key
119 for TCP MD5 signature
120 <back_log>
122 The memory used for the sk backlog queue. On a process
123 context, if the process is receiving packet, and a new
124 packet is received, it will be put into the sk backlog
125 queue, so it can be received by the process immediately
126 <sock_drop>
128 the number of packets dropped before they are de-multi‐
129 plexed into the socket
130 -p, --processes
132 Show process using socket.
133 -T, --threads
135 Show thread using socket. Implies -p.
136 -i, --info
138 Show internal TCP information. Below fields may appear:
139 ts show string "ts" if the timestamp option is set
141 sack show string "sack" if the sack option is set
143 ecn show string "ecn" if the explicit congestion notification
145 option is set
146 ecnseen
148 show string "ecnseen" if the saw ecn flag is found in re‐
149 ceived packets
150 fastopen
152 show string "fastopen" if the fastopen option is set
153 cong_alg
155 the congestion algorithm name, the default congestion al‐
156 gorithm is "cubic"
157 wscale:<snd_wscale>:<rcv_wscale>
159 if window scale option is used, this field shows the send
160 scale factor and receive scale factor
161 rto:<icsk_rto>
163 tcp re-transmission timeout value, the unit is millisec‐
164 ond
165 backoff:<icsk_backoff>
167 used for exponential backoff re-transmission, the actual
168 re-transmission timeout value is icsk_rto << icsk_backoff
169 rtt:<rtt>/<rttvar>
171 rtt is the average round trip time, rttvar is the mean
172 deviation of rtt, their units are millisecond
173 ato:<ato>
175 ack timeout, unit is millisecond, used for delay ack mode
176 mss:<mss>
178 max segment size
179 cwnd:<cwnd>
181 congestion window size
182 pmtu:<pmtu>
184 path MTU value
185 ssthresh:<ssthresh>
187 tcp congestion window slow start threshold
188 bytes_acked:<bytes_acked>
190 bytes acked
191 bytes_received:<bytes_received>
193 bytes received
194 segs_out:<segs_out>
196 segments sent out
197 segs_in:<segs_in>
199 segments received
200 send <send_bps>bps
202 egress bps
203 lastsnd:<lastsnd>
205 how long time since the last packet sent, the unit is
206 millisecond
207 lastrcv:<lastrcv>
209 how long time since the last packet received, the unit is
210 millisecond
211 lastack:<lastack>
213 how long time since the last ack received, the unit is
214 millisecond
215 pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
217 the pacing rate and max pacing rate
218 rcv_space:<rcv_space>
220 a helper variable for TCP internal auto tuning socket re‐
221 ceive buffer
222 tcp-ulp-mptcp flags:[MmBbJjecv] token:<rem_token(rem_id)/loc_to‐
224 ken(loc_id)> seq:<sn> sfseq:<ssn> ssnoff:<off> maplen:<maplen>
225 MPTCP subflow information
226 --tos Show ToS and priority information. Below fields may appear:
228 tos IPv4 Type-of-Service byte
230 tclass IPv6 Traffic Class byte
232 class_id
234 Class id set by net_cls cgroup. If class is zero this
235 shows priority set by SO_PRIORITY.
236 --cgroup
238 Show cgroup information. Below fields may appear:
239 cgroup Cgroup v2 pathname. This pathname is relative to the
241 mount point of the hierarchy.
242 --tipcinfo
244 Show internal tipc socket information.
245 -K, --kill
247 Attempts to forcibly close sockets. This option displays
248 sockets that are successfully closed and silently skips
249 sockets that the kernel does not support closing. It sup‐
250 ports IPv4 and IPv6 sockets only.
251 -s, --summary
253 Print summary statistics. This option does not parse
254 socket lists obtaining summary from various sources. It
255 is useful when amount of sockets is so huge that parsing
256 /proc/net/tcp is painful.
257 -E, --events
259 Continually display sockets as they are destroyed
260 -Z, --context
262 As the -p option but also shows process security context.
263 If the -T option is used, also shows thread security con‐
264 text.
265 For netlink(7) sockets the initiating process context is
267 displayed as follows:
268 1. If valid pid show the process context.
270 2. If destination is kernel (pid = 0) show kernel
272 initial context.
273 3. If a unique identifier has been allocated by
275 the kernel or netlink user, show context as
276 "unavailable". This will generally indicate
277 that a process has more than one netlink
278 socket active.
279 -z, --contexts
281 As the -Z option but also shows the socket context. The
282 socket context is taken from the associated inode and is
283 not the actual socket context held by the kernel. Sockets
284 are typically labeled with the context of the creating
285 process, however the context shown will reflect any pol‐
286 icy role, type and/or range transition rules applied, and
287 is therefore a useful reference.
288 -N NSNAME, --net=NSNAME
290 Switch to the specified network namespace name.
291 -b, --bpf
293 Show socket classic BPF filters (only administrators are
294 allowed to get these information).
295 -4, --ipv4
297 Display only IP version 4 sockets (alias for -f inet).
298 -6, --ipv6
300 Display only IP version 6 sockets (alias for -f inet6).
301 -0, --packet
303 Display PACKET sockets (alias for -f link).
304 -t, --tcp
306 Display TCP sockets.
307 -u, --udp
309 Display UDP sockets.
310 -d, --dccp
312 Display DCCP sockets.
313 -w, --raw
315 Display RAW sockets.
316 -x, --unix
318 Display Unix domain sockets (alias for -f unix).
319 -S, --sctp
321 Display SCTP sockets.
322 --tipc Display tipc sockets (alias for -f tipc).
324 --vsock
327 Display vsock sockets (alias for -f vsock).
328 --xdp Display XDP sockets (alias for -f xdp).
330 -M, --mptcp
332 Display MPTCP sockets.
333 --inet-sockopt
335 Display inet socket options.
336 -f FAMILY, --family=FAMILY
338 Display sockets of type FAMILY. Currently the following
339 families are supported: unix, inet, inet6, link, netlink,
340 vsock, tipc, xdp.
341 -A QUERY, --query=QUERY, --socket=QUERY
343 List of socket tables to dump, separated by commas. The
344 following identifiers are understood: all, inet, tcp,
345 udp, raw, unix, packet, netlink, unix_dgram, unix_stream,
346 unix_seqpacket, packet_raw, packet_dgram, dccp, sctp,
347 tipc, vsock_stream, vsock_dgram, xdp, mptcp. Any item in
348 the list may optionally be prefixed by an exclamation
349 mark (!) to exclude that socket table from being dumped.
350 -D FILE, --diag=FILE
352 Do not display anything, just dump raw information about
353 TCP sockets to FILE after applying filters. If FILE is -
354 stdout is used.
355 -F FILE, --filter=FILE
357 Read filter information from FILE. Each line of FILE is
358 interpreted like single command line option. If FILE is -
359 stdin is used.
360 FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
362 Please take a look at the official documentation for de‐
363 tails regarding filters.
364
367 STATE-FILTER allows one to construct arbitrary set of states to match.
368 Its syntax is sequence of keywords state and exclude followed by iden‐
369 tifier of state.
370 Available identifiers are:
372 All standard TCP states: established, syn-sent, syn-recv, fin-
374 wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack,
375 listening and closing.
376 all - for all the states
378 connected - all the states except for listening and closed
380 synchronized - all the connected states except for syn-sent
382 bucket - states, which are maintained as minisockets, i.e.
384 time-wait and syn-recv
385 big - opposite to bucket
387
390 EXPRESSION allows filtering based on specific criteria. EXPRESSION
391 consists of a series of predicates combined by boolean operators. The
392 possible operators in increasing order of precedence are or (or | or
393 ||), and (or & or &&), and not (or !). If no operator is between con‐
394 secutive predicates, an implicit and operator is assumed. Subexpres‐
395 sions can be grouped with "(" and ")".
396 The following predicates are supported:
398 {dst|src} [=] HOST
401 Test if the destination or source matches HOST. See HOST SYNTAX
402 for details.
403 {dport|sport} [OP] [FAMILY:]:PORT
405 Compare the destination or source port to PORT. OP can be any of
406 "<", "<=", "=", "!=", ">=" and ">". Following normal arithmetic
407 rules. FAMILY and PORT are as described in HOST SYNTAX below.
408 dev [=|!=] DEVICE
410 Match based on the device the connection uses. DEVICE can either
411 be a device name or the index of the interface.
412 fwmark [=|!=] MASK
414 Matches based on the fwmark value for the connection. This can
415 either be a specific mark value or a mark value followed by a
416 "/" and a bitmask of which bits to use in the comparison. For
417 example "fwmark = 0x01/0x03" would match if the two least sig‐
418 nificant bits of the fwmark were 0x01.
419 cgroup [=|!=] PATH
421 Match if the connection is part of a cgroup at the given path.
422 autobound
424 Match if the port or path of the source address was automati‐
425 cally allocated (rather than explicitly specified).
426 Most operators have aliases. If no operator is supplied "=" is assumed.
428 Each of the following groups of operators are all equivalent:
429 • = == eq
431 • != ne neq
433 • > gt
435 • < lt
437 • >= ge geq
439 • <= le leq
441 • ! not
443 • | || or
445 • & && and
447
449 The general host syntax is [FAMILY:]ADDRESS[:PORT].
450 FAMILY must be one of the families supported by the -f option. If not
452 given it defaults to the family given with the -f option, and if that
453 is also missing, will assume either inet or inet6. Note that all host
454 conditions in the expression should either all be the same family or be
455 only inet and inet6. If there is some other mixture of families, the
456 results will probably be unexpected.
457 The form of ADDRESS and PORT depends on the family used. "*" can be
459 used as a wildcard for either the address or port. The details for each
460 family are as follows:
461 unix ADDRESS is a glob pattern (see fnmatch(3)) that will be matched
463 case-insensitively against the unix socket's address. Both path
464 and abstract names are supported. Unix addresses do not support
465 a port, and "*" cannot be used as a wildcard.
466 link ADDRESS is the case-insensitive name of an Ethernet protocol to
468 match. PORT is either a device name or a device index for the
469 desired link device, as seen in the output of ip link.
470 netlink
472 ADDRESS is a descriptor of the netlink family. Possible values
473 come from /etc/iproute2/nl_protos. PORT is the port id of the
474 socket, which is usually the same as the owning process id. The
475 value "kernel" can be used to represent the kernel (port id of
476 0).
477 vsock ADDRESS is an integer representing the CID address, and PORT is
479 the port.
480 inet and inet6
482 ADDRESS is an ip address (either v4 or v6 depending on the fam‐
483 ily) or a DNS hostname that resolves to an ip address of the re‐
484 quired version. An ipv6 address must be enclosed in "[" and "]"
485 to disambiguate the port separator. The address may additionally
486 have a prefix length given in CIDR notation (a slash followed by
487 the prefix length in bits). PORT is either the numerical socket
488 port, or the service name for the port to match.
489
492 ss -t -a
493 Display all TCP sockets.
494 ss -t -a -Z
496 Display all TCP sockets with process SELinux security contexts.
497 ss -u -a
499 Display all UDP sockets.
500 ss -o state established '( dport = :ssh or sport = :ssh )'
502 Display all established ssh connections.
503 ss -x src /tmp/.X11-unix/*
505 Find all local processes connected to X server.
506 ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst
508 193.233.7/24
509 List all the tcp sockets in state FIN-WAIT-1 for our apache to
510 network 193.233.7/24 and look at their timers.
511 ss -a -A 'all,!tcp'
513 List sockets in all states from all socket tables but TCP.
514
516 ip(8),
517 RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
518
521 ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
522 This manual page was written by Michael Prokop <mika@grml.org> for the
524 Debian project (but may be used by others).
525 SS(8)