ss: add support for cgroup v2 information and filtering

[mirror_iproute2.git] / man / man8 / ss.8

.TH SS 8
.SH NAME
ss \- another utility to investigate sockets
.SH SYNOPSIS
.B ss
.RI [ options ] " [ FILTER ]"
.SH DESCRIPTION
.B ss
is used to dump socket statistics. It allows showing information similar
to
.IR netstat .
It can display more TCP and state information than other tools.

.SH OPTIONS
When no option is used ss displays a list of open non-listening
sockets (e.g. TCP/UNIX/UDP) that have established connection.
.TP
.B \-h, \-\-help
Show summary of options.
.TP
.B \-V, \-\-version
Output version information.
.TP
.B \-H, \-\-no-header
Suppress header line.
.TP
.B \-O, \-\-oneline
Print each socket's data on a single line.
.TP
.B \-n, \-\-numeric
Do not try to resolve service names. Show exact bandwidth values, instead of human-readable.
.TP
.B \-r, \-\-resolve
Try to resolve numeric address/ports.
.TP
.B \-a, \-\-all
Display both listening and non-listening (for TCP this means
established connections) sockets.
.TP
.B \-l, \-\-listening
Display only listening sockets (these are omitted by default).
.TP
.B \-o, \-\-options
Show timer information. For TCP protocol, the output format is:
.RS
.P
timer:(<timer_name>,<expire_time>,<retrans>)
.P
.TP
.B <timer_name>
the name of the timer, there are five kind of timer names:
.RS
.P
.B on
: means one of these timers: TCP retrans timer, TCP early retrans
timer and tail loss probe timer
.P
.BR keepalive ": tcp keep alive timer"
.P
.BR timewait ": timewait stage timer"
.P
.BR persist ": zero window probe timer"
.P
.BR unknown ": none of the above timers"
.RE
.TP
.B <expire_time>
how long time the timer will expire
.P
.TP
.B <retrans>
how many times the retransmission occured
.RE
.TP
.B \-e, \-\-extended
Show detailed socket information. The output format is:
.RS
.P
uid:<uid_number> ino:<inode_number> sk:<cookie>
.P
.TP
.B <uid_number>
the user id the socket belongs to
.P
.TP
.B <inode_number>
the socket's inode number in VFS
.P
.TP
.B <cookie>
an uuid of the socket
.RE
.TP
.B \-m, \-\-memory
Show socket memory usage. The output format is:
.RS
.P
skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
.br
.RS
.RS
f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
.RE
.RE
.br
.RS
.RS
bl<back_log>,d<sock_drop>)
.RE
.RE
.P
.TP
.B <rmem_alloc>
the memory allocated for receiving packet
.P
.TP
.B <rcv_buf>
the total memory can be allocated for receiving packet
.P
.TP
.B <wmem_alloc>
the memory used for sending packet (which has been sent to layer 3)
.P
.TP
.B <snd_buf>
the total memory can be allocated for sending packet
.P
.TP
.B <fwd_alloc>
the memory allocated by the socket as cache, but not used for
receiving/sending packet yet. If need memory to send/receive packet,
the memory in this cache will be used before allocate additional
memory.
.P
.TP
.B <wmem_queued>
The memory allocated for sending packet (which has not been sent to layer 3)
.P
.TP
.B <ropt_mem>
The memory used for storing socket option, e.g., the key for TCP MD5 signature
.P
.TP
.B <back_log>
The memory used for the sk backlog queue. On a process context, if the
process is receiving packet, and a new packet is received, it will be
put into the sk backlog queue, so it can be received by the process
immediately
.P
.TP
.B <sock_drop>
the number of packets dropped before they are de-multiplexed into the socket
.RE
.TP
.B \-p, \-\-processes
Show process using socket.
.TP
.B \-i, \-\-info
Show internal TCP information. Below fields may appear:
.RS
.P
.TP
.B ts
show string "ts" if the timestamp option is set
.P
.TP
.B sack
show string "sack" if the sack option is set
.P
.TP
.B ecn
show string "ecn" if the explicit congestion notification option is set
.P
.TP
.B ecnseen
show string "ecnseen" if the saw ecn flag is found in received packets
.P
.TP
.B fastopen
show string "fastopen" if the fastopen option is set
.P
.TP
.B cong_alg
the congestion algorithm name, the default congestion algorithm is "cubic"
.P
.TP
.B wscale:<snd_wscale>:<rcv_wscale>
if window scale option is used, this field shows the send scale factor
and receive scale factor
.P
.TP
.B rto:<icsk_rto>
tcp re-transmission timeout value, the unit is millisecond
.P
.TP
.B backoff:<icsk_backoff>
used for exponential backoff re-transmission, the actual
re-transmission timeout value is icsk_rto << icsk_backoff
.P
.TP
.B rtt:<rtt>/<rttvar>
rtt is the average round trip time, rttvar is the mean deviation of
rtt, their units are millisecond
.P
.TP
.B ato:<ato>
ack timeout, unit is millisecond, used for delay ack mode
.P
.TP
.B mss:<mss>
max segment size
.P
.TP
.B cwnd:<cwnd>
congestion window size
.P
.TP
.B pmtu:<pmtu>
path MTU value
.P
.TP
.B ssthresh:<ssthresh>
tcp congestion window slow start threshold
.P
.TP
.B bytes_acked:<bytes_acked>
bytes acked
.P
.TP
.B bytes_received:<bytes_received>
bytes received
.P
.TP
.B segs_out:<segs_out>
segments sent out
.P
.TP
.B segs_in:<segs_in>
segments received
.P
.TP
.B send <send_bps>bps
egress bps
.P
.TP
.B lastsnd:<lastsnd>
how long time since the last packet sent, the unit is millisecond
.P
.TP
.B lastrcv:<lastrcv>
how long time since the last packet received, the unit is millisecond
.P
.TP
.B lastack:<lastack>
how long time since the last ack received, the unit is millisecond
.P
.TP
.B pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
the pacing rate and max pacing rate
.P
.TP
.B rcv_space:<rcv_space>
a helper variable for TCP internal auto tuning socket receive buffer
.P
.TP
.B tcp-ulp-mptcp flags:[MmBbJjecv] token:<rem_token(rem_id)/loc_token(loc_id)> seq:<sn> sfseq:<ssn> ssnoff:<off> maplen:<maplen>
MPTCP subflow information
.P
.RE
.TP
.B \-\-tos
Show ToS and priority information. Below fields may appear:
.RS
.P
.TP
.B tos
IPv4 Type-of-Service byte
.P
.TP
.B tclass
IPv6 Traffic Class byte
.P
.TP
.B class_id
Class id set by net_cls cgroup. If class is zero this shows priority
set by SO_PRIORITY.
.RE
.TP
.B \-\-cgroup
Show cgroup information. Below fields may appear:
.RS
.P
.TP
.B cgroup
Cgroup v2 pathname. This pathname is relative to the mount point of the hierarchy.
.RE
.TP
.B \-K, \-\-kill
Attempts to forcibly close sockets. This option displays sockets that are
successfully closed and silently skips sockets that the kernel does not support
closing. It supports IPv4 and IPv6 sockets only.
.TP
.B \-s, \-\-summary
Print summary statistics. This option does not parse socket lists obtaining
summary from various sources. It is useful when amount of sockets is so huge
that parsing /proc/net/tcp is painful.
.TP
.B \-E, \-\-events
Continually display sockets as they are destroyed
.TP
.B \-Z, \-\-context
As the
.B \-p
option but also shows process security context.
.sp
For
.BR netlink (7)
sockets the initiating process context is displayed as follows:
.RS
.RS
.IP "1." 4
If valid pid show the process context.
.IP "2." 4
If destination is kernel (pid = 0) show kernel initial context.
.IP "3." 4
If a unique identifier has been allocated by the kernel or netlink user,
show context as "unavailable". This will generally indicate that a
process has more than one netlink socket active.
.RE
.RE
.TP
.B \-z, \-\-contexts
As the
.B \-Z
option but also shows the socket context. The socket context is
taken from the associated inode and is not the actual socket
context held by the kernel. Sockets are typically labeled with the
context of the creating process, however the context shown will reflect
any policy role, type and/or range transition rules applied,
and is therefore a useful reference.
.TP
.B \-N NSNAME, \-\-net=NSNAME
Switch to the specified network namespace name.
.TP
.B \-b, \-\-bpf
Show socket BPF filters (only administrators are allowed to get these
information).
.TP
.B \-4, \-\-ipv4
Display only IP version 4 sockets (alias for -f inet).
.TP
.B \-6, \-\-ipv6
Display only IP version 6 sockets (alias for -f inet6).
.TP
.B \-0, \-\-packet
Display PACKET sockets (alias for -f link).
.TP
.B \-t, \-\-tcp
Display TCP sockets.
.TP
.B \-u, \-\-udp
Display UDP sockets.
.TP
.B \-d, \-\-dccp
Display DCCP sockets.
.TP
.B \-w, \-\-raw
Display RAW sockets.
.TP
.B \-x, \-\-unix
Display Unix domain sockets (alias for -f unix).
.TP
.B \-S, \-\-sctp
Display SCTP sockets.
.TP
.B \-\-vsock
Display vsock sockets (alias for -f vsock).
.TP
.B \-\-xdp
Display XDP sockets (alias for -f xdp).
.TP
.B \-f FAMILY, \-\-family=FAMILY
Display sockets of type FAMILY.  Currently the following families are
supported: unix, inet, inet6, link, netlink, vsock, xdp.
.TP
.B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY
List of socket tables to dump, separated by commas. The following identifiers
are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram,
unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp,
vsock_stream, vsock_dgram, xdp Any item in the list may optionally be
prefixed by an exclamation mark
.RB ( ! )
to exclude that socket table from being dumped.
.TP
.B \-D FILE, \-\-diag=FILE
Do not display anything, just dump raw information about TCP sockets
to FILE after applying filters. If FILE is - stdout is used.
.TP
.B \-F FILE, \-\-filter=FILE
Read filter information from FILE.  Each line of FILE is interpreted
like single command line option. If FILE is - stdin is used.
.TP
.B FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
Please take a look at the official documentation for details regarding filters.

.SH STATE-FILTER

.B STATE-FILTER
allows to construct arbitrary set of states to match. Its syntax is
sequence of keywords state and exclude followed by identifier of
state.
.TP
Available identifiers are:

All standard TCP states:
.BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", "
.BR  listening " and " closing.

.B all
- for all the states

.B connected
- all the states except for
.BR listening " and " closed

.B synchronized
- all the
.B connected
states except for
.B syn-sent

.B bucket
- states, which are maintained as minisockets, i.e.
.BR time-wait " and " syn-recv

.B big
- opposite to
.B bucket

.SH USAGE EXAMPLES
.TP
.B ss -t -a
Display all TCP sockets.
.TP
.B ss -t -a -Z
Display all TCP sockets with process SELinux security contexts.
.TP
.B ss -u -a
Display all UDP sockets.
.TP
.B ss -o state established '( dport = :ssh or sport = :ssh )'
Display all established ssh connections.
.TP
.B ss -x src /tmp/.X11-unix/*
Find all local processes connected to X server.
.TP
.B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24
List all the tcp sockets in state FIN-WAIT-1 for our apache to network
193.233.7/24 and look at their timers.
.TP
.B ss -a -A 'all,!tcp'
List sockets in all states from all socket tables but TCP.
.SH SEE ALSO
.BR ip (8),
.br
.BR RFC " 793 "
- https://tools.ietf.org/rfc/rfc793.txt (TCP states)

.SH AUTHOR
.I ss
was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
.PP
This manual page was written by Michael Prokop <mika@grml.org>
for the Debian project (but may be used by others).