ss

Socket statistics are easier to use than netstat. Another tool included with the iproute2 package allows you to query socket statistics.

Supplementary instructions

ss command is used to display active socket information. The ss command can be used to obtain socket statistics, which can display content similar to netstat. But the advantage of ss is that it can display more and more detailed information about TCP and connection status, and it is faster and more efficient than netstat.

When the number of socket connections on the server becomes very large, whether you use the netstat command or directly cat /proc/net/tcp, the execution speed will be very slow. You may not feel it personally, but please believe me, when the number of connections maintained by the server reaches tens of thousands, using netstat is a waste of life, while using ss saves time.

UI. The secret of fast ss is that it utilizes tcp_diag in the TCP protocol stack. tcp_diag is a module used to analyze statistics. It can obtain first-hand information in the Linux kernel, which ensures that ss is fast and efficient. Of course, if there is no tcp_diag in your system, ss can also run normally, but the efficiency will become slightly slower.

grammar

ss [parameter]
ss [parameter] [filter]

Options

-h, --help help information
-V, --version program version information
-n, --numeric do not resolve service names
-r, --resolve resolve hostname
-a, --all show all sockets
-l, --listening Display listening status of sockets (sockets)
-o, --options display timer information
-e, --extended display detailed socket information
-m, --memory Display socket memory usage
-p, --processes show processes using sockets
-i, --info display TCP internal information
-s, --summary Display socket usage summary
-4, --ipv4 Display only IPv4 sockets
-6, --ipv6 Display only IPv6 sockets
-0, --packet display PACKET socket (socket)
-t, --tcp Show only TCP sockets
-u, --udp Show only UCP sockets
-d, --dccp Show only DCCP sockets
-w, --raw Show only RAW sockets
-x, --unix Show only Unix sockets
-f, --family=FAMILY Display FAMILY type sockets (sockets), FAMILY is optional, supports unix, inet, inet6, link, netlink
-A, --query=QUERY, --socket=QUERY
       QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]
-D, --diag=FILE Dump raw TCP sockets information to a file
  -F, --filter=FILE Remove filter information from the file
        FILTER := [ state TCP-STATE ] [ EXPRESSION ]

Example

ss -t -a # Display TCP connections
ss -s # Display Sockets summary
ss -l # List all open network ports
ss -pl # View the sockets used by the process
ss -lp | grep 3306 # Find the application that opens the socket/port
ss -u -a displays all UDP Sockets
ss -o state established '( dport = :smtp or sport = :smtp )' # Display all SMTP connections with established status
ss -o state established '( dport = :http or sport = :http )' # Display all HTTP connections with Established status
ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24 # List the source port in FIN-WAIT-1 state as 80 or 443, and the target network is 193.233 .7/24 all tcp sockets

# Comparison of ss and netstat efficiency
time netstat -at
time ss

# Match remote address and port number
# ss dst ADDRESS_PATTERN
ss dst 192.168.1.5
ss dst 192.168.119.113:http
ssdst 192.168.119.113:smtp
ss dst 192.168.119.113:443

# Match local address and port number
# ss src ADDRESS_PATTERN
ss src 192.168.119.103
ss src 192.168.119.103:http
ss src 192.168.119.103:80
ss src 192.168.119.103:smtp
ss src 192.168.119.103:25

Compare local or remote port to a number

# ss dport OP PORT compares the remote port with a number;
# ss sport OP PORT local port and a number comparison
# OP can represent any of the following:
# <= or le : less than or equal to the port number
# >= or ge: greater than or equal to the port number
# == or eq : equal to the port number
# != or ne: not equal to the port number
# < or gt: less than the port number
# > or lt : greater than the port number
ss sport = :http
ssdport = :http
ss dport \> :1024
ss sport \> :1024
ss sport \< :32000
ss sport eq :22
ss dport != :22
ss state connected sport = :http
ss \( sport = :http or sport = :https \)
ss -o state fin-wait-1 \( sport = :http or sport = :https \) dst 192.168.1/24

Filter Sockets by TCP Status

ss -4 state closing
# ss -4 state FILTER-NAME-HERE
# ss -6 state FILTER-NAME-HERE
# FILTER-NAME-HERE can represent any of the following:
# established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen, closing,
# all : all the above status
# connected: all states except listen and closed
# synchronized: All connected states except syn-sent
# bucket: Display status is maintained as minisockets, such as time-wait and syn-recv.
# big : Opposite of bucket.

Show ICP connection

[root@localhost ~]# ss -t -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 0 *:3306 *:*
LISTEN 0 0 *:http *:*
LISTEN 0 0 *:ssh *:*
LISTEN 0 0 127.0.0.1:smtp *:*
ESTAB 0 0 112.124.15.130:42071 42.156.166.25:http
ESTAB 0 0 112.124.15.130:ssh 121.229.196.235:33398

Show Sockets summary

[root@localhost ~]# ss -s
Total: 172 (kernel 189)
TCP: 10 (estab 2, closed 4, orphaned 0, synrecv 0, timewait 0/0), ports 5

Transport Total IP IPv6
* 189 - -
RAW 0 0 0
UDP 5 5 0
TCP 6 6 0
INET 11 11 0
FRAG 0 0 0

List current established, closed, orphaned and waiting TCP sockets

List all open network ports

[root@localhost ~]# ss -l
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 *:3306 *:*
0 0 *:http *:*
0 0 *:ssh *:*
0 0 127.0.0.1:smtp *:*

View the sockets used by the process

[root@localhost ~]# ss -pl
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 *:3306 *:* users:(("mysqld",1718,10))
0 0 *:http *:* users:(("nginx",13312,5),("nginx",13333,5))
0 0 *:ssh *:* users:(("sshd",1379,3))
0 0 127.0.0.1:smtp *:* us

Find out the application that opens the socket/port

[root@localhost ~]# ss -pl | grep 3306
0 0 *:3306 *:* users:(("mysqld",1718,10))

Show all UDP Sockets

[root@localhost ~]# ss -u -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:syslog *:*
UNCONN 0 0 112.124.15.130:ntp *:*
UNCONN 0 0 10.160.7.81:ntp *:*
UNCONN 0 0 127.0.0.1:ntp *:*
UNCONN 0 0 *:ntp *:*

Outgoing connections to port 22 (ssh)

[root@localhost ~]# ss state all sport = :ssh
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 *:ssh *:*
tcp ESTAB 0 0 192.168.0.136:ssh 192.168.0.102:46540
tcp LISTEN 0 128 :::ssh :::*

View TCP connection status

[root@localhost ~]# ss -tan|awk 'NR>1{++S[$1]}END{for (a in S) print a,S[a]}'
LISTEN 7
ESTAB 31
TIME-WAIT 28