]>
Commit | Line | Data |
---|---|---|
d7eeca84 SH |
1 | .TH SS 8 |
2 | .SH NAME | |
3 | ss \- another utility to investigate sockets | |
4 | .SH SYNOPSIS | |
5 | .B ss | |
6 | .RI [ options ] " [ FILTER ]" | |
7 | .SH DESCRIPTION | |
8 | .B ss | |
9 | is used to dump socket statistics. It allows showing information similar | |
10 | to | |
11 | .IR netstat . | |
b096fa5f | 12 | It can display more TCP and state informations than other tools. |
d7eeca84 SH |
13 | |
14 | .SH OPTIONS | |
5699275b | 15 | When no option is used ss displays a list of |
814f9b99 | 16 | open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection. |
d7eeca84 SH |
17 | .TP |
18 | .B \-h, \-\-help | |
19 | Show summary of options. | |
20 | .TP | |
21 | .B \-V, \-\-version | |
22 | Output version information. | |
23 | .TP | |
7a4559f6 DA |
24 | .B \-H, \-\-no-header |
25 | Suppress header line. | |
26 | .TP | |
d7eeca84 | 27 | .B \-n, \-\-numeric |
d98e300c | 28 | Do not try to resolve service names. |
d7eeca84 SH |
29 | .TP |
30 | .B \-r, \-\-resolve | |
31 | Try to resolve numeric address/ports. | |
32 | .TP | |
33 | .B \-a, \-\-all | |
5d805635 | 34 | Display both listening and non-listening (for TCP this means established connections) sockets. |
d7eeca84 SH |
35 | .TP |
36 | .B \-l, \-\-listening | |
5d805635 | 37 | Display only listening sockets (these are omitted by default). |
d7eeca84 SH |
38 | .TP |
39 | .B \-o, \-\-options | |
5a9bca71 | 40 | Show timer information. For tcp protocol, the output format is: |
41 | .RS | |
42 | .P | |
43 | timer:(<timer_name>,<expire_time>,<retrans>) | |
44 | .P | |
45 | .TP | |
46 | .B <timer_name> | |
47 | the name of the timer, there are five kind of timer names: | |
48 | .RS | |
49 | .P | |
50 | .BR on ": means one of these timers: tcp retrans timer, tcp early retrans timer and tail loss probe timer" | |
51 | .P | |
52 | .BR keepalive ": tcp keep alive timer" | |
53 | .P | |
54 | .BR timewait ": timewait stage timer" | |
55 | .P | |
56 | .BR persist ": zero window probe timer" | |
57 | .P | |
58 | .BR unknown ": none of the above timers" | |
59 | .RE | |
60 | .TP | |
61 | .B <expire_time> | |
62 | how long time the timer will expire | |
63 | .P | |
64 | .TP | |
65 | .B <retrans> | |
66 | how many times the retran occurs | |
67 | .RE | |
d7eeca84 SH |
68 | .TP |
69 | .B \-e, \-\-extended | |
5a9bca71 | 70 | Show detailed socket information. The output format is: |
71 | .RS | |
72 | .P | |
73 | uid:<uid_number> ino:<inode_number> sk:<cookie> | |
74 | .P | |
75 | .TP | |
76 | .B <uid_number> | |
77 | the user id the socket belongs to | |
78 | .P | |
79 | .TP | |
80 | .B <inode_number> | |
81 | the socket's inode number in VFS | |
82 | .P | |
83 | .TP | |
84 | .B <cookie> | |
85 | an uuid of the socket | |
86 | .RE | |
d7eeca84 SH |
87 | .TP |
88 | .B \-m, \-\-memory | |
5a9bca71 | 89 | Show socket memory usage. The output format is: |
90 | .RS | |
91 | .P | |
92 | skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,bl<back_log>) | |
93 | .P | |
94 | .TP | |
95 | .B <rmem_alloc> | |
96 | the memory allocated for receiving packet | |
97 | .P | |
98 | .TP | |
99 | .B <rcv_buf> | |
100 | the total memory can be allocated for receiving packet | |
101 | .P | |
102 | .TP | |
103 | .B <wmem_alloc> | |
104 | the memory used for sending packet (which has been sent to layer 3) | |
105 | .P | |
106 | .TP | |
107 | .B <snd_buf> | |
108 | the total memory can be allocated for sending packet | |
109 | .P | |
110 | .TP | |
111 | .B <fwd_alloc> | |
112 | the memory allocated by the socket as cache, but not used for receiving/sending packet yet. If need memory to send/receive packet, the memory in this cache will be used before allocate additional memory. | |
113 | .P | |
114 | .TP | |
115 | .B <wmem_queued> | |
116 | The memory allocated for sending packet (which has not been sent to layer 3) | |
117 | .P | |
118 | .TP | |
119 | .B <opt_mem> | |
120 | The memory used for storing socket option, e.g., the key for TCP MD5 signature | |
121 | .P | |
122 | .TP | |
123 | .B <back_log> | |
124 | The memory used for the sk backlog queue. On a process context, if the process is receiving packet, and a new packet is received, it will be put into the sk backlog queue, so it can be received by the process immediately | |
125 | .RE | |
d7eeca84 SH |
126 | .TP |
127 | .B \-p, \-\-processes | |
128 | Show process using socket. | |
129 | .TP | |
130 | .B \-i, \-\-info | |
5a9bca71 | 131 | Show internal TCP information. Below fields may appear: |
132 | .RS | |
133 | .P | |
134 | .TP | |
135 | .B ts | |
136 | show string "ts" if the timestamp option is set | |
137 | .P | |
138 | .TP | |
139 | .B sack | |
140 | show string "sack" if the sack option is set | |
141 | .P | |
142 | .TP | |
143 | .B ecn | |
144 | show string "ecn" if the explicit congestion notification option is set | |
145 | .P | |
146 | .TP | |
147 | .B ecnseen | |
148 | show string "ecnseen" if the saw ecn flag is found in received packets | |
149 | .P | |
150 | .TP | |
151 | .B fastopen | |
152 | show string "fastopen" if the fastopen option is set | |
153 | .P | |
154 | .TP | |
155 | .B cong_alg | |
156 | the congestion algorithm name, the default congestion algorithm is "cubic" | |
157 | .P | |
158 | .TP | |
159 | .B wscale:<snd_wscale>:<rcv_wscale> | |
160 | if window scale option is used, this field shows the send scale factory and receive scale factory | |
161 | .P | |
162 | .TP | |
163 | .B rto:<icsk_rto> | |
164 | tcp re-transmission timeout value, the unit is millisecond | |
165 | .P | |
166 | .TP | |
167 | .B backoff:<icsk_backoff> | |
168 | used for exponential backoff re-transmission, the actual re-transmission timeout value is icsk_rto << icsk_backoff | |
169 | .P | |
170 | .TP | |
171 | .B rtt:<rtt>/<rttvar> | |
172 | rtt is the average round trip time, rttvar is the mean deviation of rtt, their units are millisecond | |
173 | .P | |
174 | .TP | |
175 | .B ato:<ato> | |
176 | ack timeout, unit is millisecond, used for delay ack mode | |
177 | .P | |
178 | .TP | |
179 | .B mss:<mss> | |
180 | max segment size | |
181 | .P | |
182 | .TP | |
183 | .B cwnd:<cwnd> | |
184 | congestion window size | |
185 | .P | |
186 | .TP | |
3d791a32 RM |
187 | .B pmtu:<pmtu> |
188 | path MTU value | |
189 | .P | |
190 | .TP | |
5a9bca71 | 191 | .B ssthresh:<ssthresh> |
192 | tcp congestion window slow start threshold | |
193 | .P | |
194 | .TP | |
195 | .B bytes_acked:<bytes_acked> | |
196 | bytes acked | |
197 | .P | |
198 | .TP | |
199 | .B bytes_received:<bytes_received> | |
200 | bytes received | |
201 | .P | |
202 | .TP | |
203 | .B segs_out:<segs_out> | |
204 | segments sent out | |
205 | .P | |
206 | .TP | |
207 | .B segs_in:<segs_in> | |
208 | segments received | |
209 | .P | |
210 | .TP | |
211 | .B send <send_bps>bps | |
212 | egress bps | |
213 | .P | |
214 | .TP | |
215 | .B lastsnd:<lastsnd> | |
216 | how long time since the last packet sent, the unit is millisecond | |
217 | .P | |
218 | .TP | |
219 | .B lastrcv:<lastrcv> | |
220 | how long time since the last packet received, the unit is millisecond | |
221 | .P | |
222 | .TP | |
223 | .B lastack:<lastack> | |
224 | how long time since the last ack received, the unit is millisecond | |
225 | .P | |
226 | .TP | |
227 | .B pacing_rate <pacing_rate>bps/<max_pacing_rate>bps | |
228 | the pacing rate and max pacing rate | |
229 | .P | |
230 | .TP | |
231 | .B rcv_space:<rcv_space> | |
232 | a helper variable for TCP internal auto tuning socket receive buffer | |
233 | .RE | |
d7eeca84 | 234 | .TP |
fb2594c1 LC |
235 | .B \-K, \-\-kill |
236 | Attempts to forcibly close sockets. This option displays sockets that are | |
237 | successfully closed and silently skips sockets that the kernel does not support | |
238 | closing. It supports IPv4 and IPv6 sockets only. | |
239 | .TP | |
d7eeca84 SH |
240 | .B \-s, \-\-summary |
241 | Print summary statistics. This option does not parse socket lists obtaining | |
242 | summary from various sources. It is useful when amount of sockets is so huge | |
243 | that parsing /proc/net/tcp is painful. | |
244 | .TP | |
d559db72 PS |
245 | .B \-E, \-\-events |
246 | Continually display sockets as they are destroyed | |
247 | .TP | |
116ac927 RH |
248 | .B \-Z, \-\-context |
249 | As the | |
250 | .B \-p | |
251 | option but also shows process security context. | |
252 | .sp | |
253 | For | |
254 | .BR netlink (7) | |
255 | sockets the initiating process context is displayed as follows: | |
256 | .RS | |
257 | .RS | |
258 | .IP "1." 4 | |
259 | If valid pid show the process context. | |
260 | .IP "2." 4 | |
261 | If destination is kernel (pid = 0) show kernel initial context. | |
262 | .IP "3." 4 | |
263 | If a unique identifier has been allocated by the kernel or netlink user, | |
264 | show context as "unavailable". This will generally indicate that a | |
265 | process has more than one netlink socket active. | |
266 | .RE | |
267 | .RE | |
268 | .TP | |
269 | .B \-z, \-\-contexts | |
270 | As the | |
271 | .B \-Z | |
272 | option but also shows the socket context. The socket context is | |
273 | taken from the associated inode and is not the actual socket | |
274 | context held by the kernel. Sockets are typically labeled with the | |
275 | context of the creating process, however the context shown will reflect | |
276 | any policy role, type and/or range transition rules applied, | |
277 | and is therefore a useful reference. | |
278 | .TP | |
95ce04bc VK |
279 | .B \-N NSNAME, \-\-net=NSNAME |
280 | Switch to the specified network namespace name. | |
281 | .TP | |
f3c2f91e ND |
282 | .B \-b, \-\-bpf |
283 | Show socket BPF filters (only administrators are allowed to get these information). | |
284 | .TP | |
d7eeca84 SH |
285 | .B \-4, \-\-ipv4 |
286 | Display only IP version 4 sockets (alias for -f inet). | |
287 | .TP | |
288 | .B \-6, \-\-ipv6 | |
289 | Display only IP version 6 sockets (alias for -f inet6). | |
290 | .TP | |
291 | .B \-0, \-\-packet | |
5d805635 | 292 | Display PACKET sockets (alias for -f link). |
d7eeca84 SH |
293 | .TP |
294 | .B \-t, \-\-tcp | |
5d805635 | 295 | Display TCP sockets. |
d7eeca84 SH |
296 | .TP |
297 | .B \-u, \-\-udp | |
5d805635 | 298 | Display UDP sockets. |
d7eeca84 SH |
299 | .TP |
300 | .B \-d, \-\-dccp | |
5d805635 | 301 | Display DCCP sockets. |
d7eeca84 SH |
302 | .TP |
303 | .B \-w, \-\-raw | |
5d805635 | 304 | Display RAW sockets. |
d7eeca84 SH |
305 | .TP |
306 | .B \-x, \-\-unix | |
5d805635 | 307 | Display Unix domain sockets (alias for -f unix). |
d7eeca84 | 308 | .TP |
f89d46ad PS |
309 | .B \-S, \-\-sctp |
310 | Display SCTP sockets. | |
311 | .TP | |
c759116a SH |
312 | .B \-\-vsock |
313 | Display vsock sockets (alias for -f vsock). | |
314 | .TP | |
d7eeca84 SH |
315 | .B \-f FAMILY, \-\-family=FAMILY |
316 | Display sockets of type FAMILY. | |
c759116a | 317 | Currently the following families are supported: unix, inet, inet6, link, netlink, vsock. |
d7eeca84 | 318 | .TP |
583de149 | 319 | .B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY |
d7eeca84 SH |
320 | List of socket tables to dump, separated by commas. The following identifiers |
321 | are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, | |
c759116a | 322 | unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, |
c121111e PS |
323 | vsock_stream, vsock_dgram. Any item in the list may optionally be prefixed by |
324 | an exclamation mark | |
325 | .RB ( ! ) | |
326 | to exclude that socket table from being dumped. | |
d7eeca84 | 327 | .TP |
583de149 | 328 | .B \-D FILE, \-\-diag=FILE |
d7eeca84 SH |
329 | Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used. |
330 | .TP | |
331 | .B \-F FILE, \-\-filter=FILE | |
332 | Read filter information from FILE. | |
333 | Each line of FILE is interpreted like single command line option. If FILE is - stdin is used. | |
334 | .TP | |
b93fe578 | 335 | .B FILTER := [ state STATE-FILTER ] [ EXPRESSION ] |
cd258764 | 336 | Please take a look at the official documentation for details regarding filters. |
b93fe578 VK |
337 | |
338 | .SH STATE-FILTER | |
339 | ||
340 | .B STATE-FILTER | |
341 | allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and exclude followed by identifier of state. | |
342 | .TP | |
343 | Available identifiers are: | |
344 | ||
345 | All standard TCP states: | |
346 | .BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", " | |
ae4e21c9 | 347 | .BR listening " and " closing. |
b93fe578 VK |
348 | |
349 | .B all | |
350 | - for all the states | |
351 | ||
352 | .B connected | |
353 | - all the states except for | |
ae4e21c9 | 354 | .BR listening " and " closed |
b93fe578 VK |
355 | |
356 | .B synchronized | |
357 | - all the | |
358 | .B connected | |
359 | states except for | |
360 | .B syn-sent | |
361 | ||
362 | .B bucket | |
363 | - states, which are maintained as minisockets, i.e. | |
364 | .BR time-wait " and " syn-recv | |
365 | ||
366 | .B big | |
367 | - opposite to | |
368 | .B bucket | |
369 | ||
d7eeca84 SH |
370 | .SH USAGE EXAMPLES |
371 | .TP | |
372 | .B ss -t -a | |
373 | Display all TCP sockets. | |
374 | .TP | |
116ac927 RH |
375 | .B ss -t -a -Z |
376 | Display all TCP sockets with process SELinux security contexts. | |
377 | .TP | |
d7eeca84 SH |
378 | .B ss -u -a |
379 | Display all UDP sockets. | |
380 | .TP | |
381 | .B ss -o state established '( dport = :ssh or sport = :ssh )' | |
382 | Display all established ssh connections. | |
383 | .TP | |
ea5dd59c | 384 | .B ss -x src /tmp/.X11-unix/* |
d7eeca84 SH |
385 | Find all local processes connected to X server. |
386 | .TP | |
387 | .B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24 | |
388 | List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers. | |
c121111e PS |
389 | .TP |
390 | .B ss -a -A 'all,!tcp' | |
391 | List sockets in all states from all socket tables but TCP. | |
d7eeca84 SH |
392 | .SH SEE ALSO |
393 | .BR ip (8), | |
b93fe578 VK |
394 | .br |
395 | .BR RFC " 793 " | |
5699275b | 396 | - https://tools.ietf.org/rfc/rfc793.txt (TCP states) |
b93fe578 | 397 | |
d7eeca84 | 398 | .SH AUTHOR |
5699275b | 399 | .I ss |
dd8fac8c | 400 | was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>. |
d7eeca84 SH |
401 | .PP |
402 | This manual page was written by Michael Prokop <mika@grml.org> | |
403 | for the Debian project (but may be used by others). |