man: ss.8: Describe --events option

[mirror_iproute2.git] / man / man8 / ss.8

.TH SS 8
.SH NAME
ss \- another utility to investigate sockets
.SH SYNOPSIS
.B ss
.RI [ options ] " [ FILTER ]"
.SH DESCRIPTION
.B ss
is used to dump socket statistics. It allows showing information similar
to
.IR netstat .
It can display more TCP and state informations than other tools.

.SH OPTIONS
When no option is used ss displays a list of
open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection.
.TP
.B \-h, \-\-help
Show summary of options.
.TP
.B \-V, \-\-version
Output version information.
.TP
.B \-H, \-\-no-header
Suppress header line.
.TP
.B \-n, \-\-numeric
Do not try to resolve service names.
.TP
.B \-r, \-\-resolve
Try to resolve numeric address/ports.
.TP
.B \-a, \-\-all
Display both listening and non-listening (for TCP this means established connections) sockets.
.TP
.B \-l, \-\-listening
Display only listening sockets (these are omitted by default).
.TP
.B \-o, \-\-options
Show timer information. For tcp protocol, the output format is:
.RS
.P
timer:(<timer_name>,<expire_time>,<retrans>)
.P
.TP
.B <timer_name>
the name of the timer, there are five kind of timer names:
.RS
.P
.BR on ": means one of these timers: tcp retrans timer, tcp early retrans timer and tail loss probe timer"
.P
.BR keepalive ": tcp keep alive timer"
.P
.BR timewait ": timewait stage timer"
.P
.BR persist ": zero window probe timer"
.P
.BR unknown ": none of the above timers"
.RE
.TP
.B <expire_time>
how long time the timer will expire
.P
.TP
.B <retrans>
how many times the retran occurs
.RE
.TP
.B \-e, \-\-extended
Show detailed socket information. The output format is:
.RS
.P
uid:<uid_number> ino:<inode_number> sk:<cookie>
.P
.TP
.B <uid_number>
the user id the socket belongs to
.P
.TP
.B <inode_number>
the socket's inode number in VFS
.P
.TP
.B <cookie>
an uuid of the socket
.RE
.TP
.B \-m, \-\-memory
Show socket memory usage. The output format is:
.RS
.P
skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,bl<back_log>)
.P
.TP
.B <rmem_alloc>
the memory allocated for receiving packet
.P
.TP
.B <rcv_buf>
the total memory can be allocated for receiving packet
.P
.TP
.B <wmem_alloc>
the memory used for sending packet (which has been sent to layer 3)
.P
.TP
.B <snd_buf>
the total memory can be allocated for sending packet
.P
.TP
.B <fwd_alloc>
the memory allocated by the socket as cache, but not used for receiving/sending packet yet. If need memory to send/receive packet, the memory in this cache will be used before allocate additional memory.
.P
.TP
.B <wmem_queued>
The memory allocated for sending packet (which has not been sent to layer 3)
.P
.TP
.B <opt_mem>
The memory used for storing socket option, e.g., the key for TCP MD5 signature
.P
.TP
.B <back_log>
The memory used for the sk backlog queue. On a process context, if the process is receiving packet, and a new packet is received, it will be put into the sk backlog queue, so it can be received by the process immediately
.RE
.TP
.B \-p, \-\-processes
Show process using socket.
.TP
.B \-i, \-\-info
Show internal TCP information. Below fields may appear:
.RS
.P
.TP
.B ts
show string "ts" if the timestamp option is set
.P
.TP
.B sack
show string "sack" if the sack option is set
.P
.TP
.B ecn
show string "ecn" if the explicit congestion notification option is set
.P
.TP
.B ecnseen
show string "ecnseen" if the saw ecn flag is found in received packets
.P
.TP
.B fastopen
show string "fastopen" if the fastopen option is set
.P
.TP
.B cong_alg
the congestion algorithm name, the default congestion algorithm is "cubic"
.P
.TP
.B wscale:<snd_wscale>:<rcv_wscale>
if window scale option is used, this field shows the send scale factory and receive scale factory
.P
.TP
.B rto:<icsk_rto>
tcp re-transmission timeout value, the unit is millisecond
.P
.TP
.B backoff:<icsk_backoff>
used for exponential backoff re-transmission, the actual re-transmission timeout value is icsk_rto << icsk_backoff
.P
.TP
.B rtt:<rtt>/<rttvar>
rtt is the average round trip time, rttvar is the mean deviation of rtt, their units are millisecond
.P
.TP
.B ato:<ato>
ack timeout, unit is millisecond, used for delay ack mode
.P
.TP
.B mss:<mss>
max segment size
.P
.TP
.B cwnd:<cwnd>
congestion window size
.P
.TP
.B pmtu:<pmtu>
path MTU value
.P
.TP
.B ssthresh:<ssthresh>
tcp congestion window slow start threshold
.P
.TP
.B bytes_acked:<bytes_acked>
bytes acked
.P
.TP
.B bytes_received:<bytes_received>
bytes received
.P
.TP
.B segs_out:<segs_out>
segments sent out
.P
.TP
.B segs_in:<segs_in>
segments received
.P
.TP
.B send <send_bps>bps
egress bps
.P
.TP
.B lastsnd:<lastsnd>
how long time since the last packet sent, the unit is millisecond
.P
.TP
.B lastrcv:<lastrcv>
how long time since the last packet received, the unit is millisecond
.P
.TP
.B lastack:<lastack>
how long time since the last ack received, the unit is millisecond
.P
.TP
.B pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
the pacing rate and max pacing rate
.P
.TP
.B rcv_space:<rcv_space>
a helper variable for TCP internal auto tuning socket receive buffer
.RE
.TP
.B \-K, \-\-kill
Attempts to forcibly close sockets. This option displays sockets that are
successfully closed and silently skips sockets that the kernel does not support
closing. It supports IPv4 and IPv6 sockets only.
.TP
.B \-s, \-\-summary
Print summary statistics. This option does not parse socket lists obtaining
summary from various sources. It is useful when amount of sockets is so huge
that parsing /proc/net/tcp is painful.
.TP
.B \-E, \-\-events
Continually display sockets as they are destroyed
.TP
.B \-Z, \-\-context
As the
.B \-p
option but also shows process security context.
.sp
For
.BR netlink (7)
sockets the initiating process context is displayed as follows:
.RS
.RS
.IP "1." 4
If valid pid show the process context.
.IP "2." 4
If destination is kernel (pid = 0) show kernel initial context.
.IP "3." 4
If a unique identifier has been allocated by the kernel or netlink user,
show context as "unavailable". This will generally indicate that a
process has more than one netlink socket active.
.RE
.RE
.TP
.B \-z, \-\-contexts
As the
.B \-Z
option but also shows the socket context. The socket context is
taken from the associated inode and is not the actual socket
context held by the kernel. Sockets are typically labeled with the
context of the creating process, however the context shown will reflect
any policy role, type and/or range transition rules applied,
and is therefore a useful reference.
.TP
.B \-N NSNAME, \-\-net=NSNAME
Switch to the specified network namespace name.
.TP
.B \-b, \-\-bpf
Show socket BPF filters (only administrators are allowed to get these information).
.TP
.B \-4, \-\-ipv4
Display only IP version 4 sockets (alias for -f inet).
.TP
.B \-6, \-\-ipv6
Display only IP version 6 sockets (alias for -f inet6).
.TP
.B \-0, \-\-packet
Display PACKET sockets (alias for -f link).
.TP
.B \-t, \-\-tcp
Display TCP sockets.
.TP
.B \-u, \-\-udp
Display UDP sockets.
.TP
.B \-d, \-\-dccp
Display DCCP sockets.
.TP
.B \-w, \-\-raw
Display RAW sockets.
.TP
.B \-x, \-\-unix
Display Unix domain sockets (alias for -f unix).
.TP
.B \-S, \-\-sctp
Display SCTP sockets.
.TP
.B \-\-vsock
Display vsock sockets (alias for -f vsock).
.TP
.B \-f FAMILY, \-\-family=FAMILY
Display sockets of type FAMILY.
Currently the following families are supported: unix, inet, inet6, link, netlink, vsock.
.TP
.B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY
List of socket tables to dump, separated by commas. The following identifiers
are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram,
unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp,
vsock_stream, vsock_dgram. Any item in the list may optionally be prefixed by
an exclamation mark
.RB ( ! )
to exclude that socket table from being dumped.
.TP
.B \-D FILE, \-\-diag=FILE
Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used.
.TP
.B \-F FILE, \-\-filter=FILE
Read filter information from FILE.
Each line of FILE is interpreted like single command line option. If FILE is - stdin is used.
.TP
.B FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
Please take a look at the official documentation for details regarding filters.

.SH STATE-FILTER

.B STATE-FILTER
allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and exclude followed by identifier of state.
.TP
Available identifiers are:

All standard TCP states:
.BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", "
.BR  listening " and " closing.

.B all
- for all the states

.B connected
- all the states except for
.BR listening " and " closed

.B synchronized
- all the
.B connected
states except for
.B syn-sent

.B bucket
- states, which are maintained as minisockets, i.e.
.BR time-wait " and " syn-recv

.B big
- opposite to
.B bucket

.SH USAGE EXAMPLES
.TP
.B ss -t -a
Display all TCP sockets.
.TP
.B ss -t -a -Z
Display all TCP sockets with process SELinux security contexts.
.TP
.B ss -u -a
Display all UDP sockets.
.TP
.B ss -o state established '( dport = :ssh or sport = :ssh )'
Display all established ssh connections.
.TP
.B ss -x src /tmp/.X11-unix/*
Find all local processes connected to X server.
.TP
.B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24
List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.
.TP
.B ss -a -A 'all,!tcp'
List sockets in all states from all socket tables but TCP.
.SH SEE ALSO
.BR ip (8),
.br
.BR RFC " 793 "
- https://tools.ietf.org/rfc/rfc793.txt (TCP states)

.SH AUTHOR
.I ss
was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
.PP
This manual page was written by Michael Prokop <mika@grml.org>
for the Debian project (but may be used by others).