ss is the abbreviation of Socket Statistics. As the name implies, the ss command can be used to obtain socket statistics, which can display content similar to netstat. But the advantage of ss is that it can display more detailed information about TCP and connection status, and it is faster and more efficient than netstat.
When the number of socket connections on the server becomes very large, whether using the netstat command or cat/proc/net/tcp directly, the execution speed will be very slow. Maybe you won't feel it, but trust me, when the server maintains tens of thousands of connections, using netstat is a waste of life, and using ss is a saving of time.
The world's martial arts can only be done quickly. The secret of SS fast is that it takes advantage of tcp_diag in the TCP stack. Tcp_diag is a module for analysis and statistics, which can get the first-hand information in the Linux kernel, which ensures the speed and efficiency of ss. Of course, if you don't have tcp_diag in your system, ss will work properly, but the efficiency will be slightly slower. (But still faster than netstat.)
1. Command format:
ss [parameter] ss [parameter] [filter]
2. Command function:
ss (short for Socket Statistics) command can be used to obtain socket statistics. The output of this command is similar to the output of netstat, but it can display more detailed information about TCP connection status and is faster and more efficient than netstat. It uses tcp_diag (a module for analysis and statistics) in TCP protocol stack to get the first-hand kernel information directly, which makes ss command fast and efficient. In the absence of tcp_diag, ss can also run normally.
3. Command parameters:
- - h, - help help help information
- - V, - version program version information
- - n, - numeric does not resolve the service name
- - r, - resolve resolves host names
- - a, - all displays all sockets
- - l, - listening sockets that display listening status
- - o, - options display timer information
- - e, - extended displays detailed sockets information
- - m, - memory displays socket memory usage
- - p, - processes show processes using socket s
- - i, - info displays TCP internal information
- - s, - summary display socket usage profile
- - 4, - IPv4 only displays sockets for IPv 4
- - 6, - IPv6 displays only IPv 6 sockets
- - 0, - package displays the PACKET socket
- - t, - TCP displays only TCP sockets
- - u, - udp displays only UCP sockets
- - d, - DCCP displays only DCCP sockets
- - w, - ray displays only RAW sockets
- - x, - Unix displays only Unix sockets
- - f, - family=FAMILY displays sockets of FAMILY type, FAMILY is optional, supports unix, inet, inet6, link, netlink
- -A, –query=QUERY, –socket=QUERY
QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]
- D, - diag=FILE dumps raw TCP sockets information to files
- F, - filter=FILE removes filter information from files
FILTER := [ state TCP-STATE ] [ EXPRESSION ]
4. Use examples:
Example 1: Display TCP connections
Order:
ss -t -aOutput:
[root@localhost ~]# ss -t -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 0 127.0.0.1:smux *:*
LISTEN 0 0 *:3690 *:*
LISTEN 0 0 *:ssh *:*
ESTAB 0 0 192.168.120.204:ssh 10.2.0.68:49368
[root@localhost ~]# Example 2: Display Sockets Summary
Order:
ss -sOutput:
[root@localhost ~]# ss -s
Total: 34 (kernel 48)
TCP: 4 (estab 1, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 3
Transport Total IP IPv6
* 48 - -
RAW 0 0 0
UDP 5 5 0
TCP 4 4 0
INET 9 9 0
FRAG 0 0 0
[root@localhost ~]# Explain:
List current established, closed, orphaned and waiting TCP sockets
Example 3: List all open network connection ports
Order:
ss -lOutput:
[root@localhost ~]# ss -l
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 127.0.0.1:smux *:*
0 0 *:3690 *:*
0 0 *:ssh *:*
[root@localhost ~]# Example 4: View the socket used by the process
Order:
ss -plOutput:
[root@localhost ~]# ss -pl
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 127.0.0.1:smux *:* users:(("snmpd",2716,8))
0 0 *:3690 *:* users:(("svnserve",3590,3))
0 0 *:ssh *:* users:(("sshd",2735,3))
[root@localhost ~]#Example 5: Find an open socket/port application
Order:
ss -lp | grep 3306Output:
[root@localhost ~]# ss -lp|grep 1935
0 0 *:1935 *:* users:(("fmsedge",2913,18))
0 0 127.0.0.1:19350 *:* users:(("fmsedge",2913,17))
[root@localhost ~]# ss -lp|grep 3306
0 0 *:3306 *:* users:(("mysqld",2871,10))
[root@localhost ~]# Example 6: Display all UDP Sockets
Order:
ss -u -aOutput:
[root@localhost ~]# ss -u -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 127.0.0.1:syslog *:*
UNCONN 0 0 *:snmp *:*
ESTAB 0 0 192.168.120.203:39641 10.58.119.119:domain
[root@localhost ~]#Example 7: Show all SMTP connections with established status
Order:
ss -o state established '( dport = :smtp or sport = :smtp )' Output:
[root@localhost ~]# ss -o state established '( dport = :smtp or sport = :smtp )'
Recv-Q Send-Q Local Address:Port Peer Address:Port
[root@localhost ~]#Example 8: Display all HTTP connections with Established status
Order:
ss -o state established '( dport = :http or sport = :http )' Output:
[root@localhost ~]# ss -o state established '( dport = :http or sport = :http )'
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 75.126.153.214:2164 192.168.10.42:http
[root@localhost ~]# Example 9: List all tcp sockets in FIN-WAIT-1 state with source port 80 or 443 and target network 193.233.7/24.
Order:
ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24Example 10: Filter Sockets with TCP state:
Order:
ss -4 state FILTER-NAME-HERE
ss -6 state FILTER-NAME-HEREOutput:
[root@localhost ~]#ss -4 state closing
Recv-Q Send-Q Local Address:Port Peer Address:Port
1 11094 75.126.153.214:http 192.168.10.42:4669 Explain:
FILTER-NAME-HERE It can represent any of the following:
established
syn-sent
syn-recv
fin-wait-1
fin-wait-2
time-wait
closed
close-wait
last-ack
listen
closing
all : All the above states
connected : except listen and closed All States
synchronized :All connected states except syn-sent
bucket : The display status is maintained as minisockets,Such as: time-wait and syn-recv.
big : and bucket Contrary.
Example 11: Matching remote address and port number
Order:
ss dst ADDRESS_PATTERN
ss dst 192.168.1.5
ss dst 192.168.119.113:http
ss dst 192.168.119.113:smtp
ss dst 192.168.119.113:443Output:
[root@localhost ~]# ss dst 192.168.119.113
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.119.103:16014 192.168.119.113:20229
ESTAB 0 0 192.168.119.103:16014 192.168.119.113:61056
ESTAB 0 0 192.168.119.103:16014 192.168.119.113:61623
ESTAB 0 0 192.168.119.103:16014 192.168.119.113:60924
ESTAB 0 0 192.168.119.103:16050 192.168.119.113:43701
ESTAB 0 0 192.168.119.103:16073 192.168.119.113:32930
ESTAB 0 0 192.168.119.103:16073 192.168.119.113:49318
ESTAB 0 0 192.168.119.103:16014 192.168.119.113:3844
[root@localhost ~]# ss dst 192.168.119.113:http
State Recv-Q Send-Q Local Address:Port Peer Address:Port
[root@localhost ~]# ss dst 192.168.119.113:3844
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.119.103:16014 192.168.119.113:3844
[root@localhost ~]# Example 12: Match local address and port number
Order:
ss src ADDRESS_PATTERN
ss src 192.168.119.103
ss src 192.168.119.103:http
ss src 192.168.119.103:80
ss src 192.168.119.103:smtp
ss src 192.168.119.103:25Output:
[root@localhost ~]# ss src 192.168.119.103:16021
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.119.103:16021 192.168.119.201:63054
ESTAB 0 0 192.168.119.103:16021 192.168.119.201:62894
ESTAB 0 0 192.168.119.103:16021 192.168.119.201:63055
ESTAB 0 0 192.168.119.103:16021 192.168.119.201:2274
ESTAB 0 0 192.168.119.103:16021 192.168.119.201:44784
ESTAB 0 0 192.168.119.103:16021 192.168.119.201:7233
ESTAB 0 0 192.168.119.103:16021 192.168.119.103:58660
ESTAB 0 0 192.168.119.103:16021 192.168.119.201:44822
ESTAB 0 0 192.168.119.103:16021 10.2.1.206:56737
ESTAB 0 0 192.168.119.103:16021 10.2.1.206:57487
ESTAB 0 0 192.168.119.103:16021 10.2.1.206:56736
ESTAB 0 0 192.168.119.103:16021 10.2.1.206:64652
ESTAB 0 0 192.168.119.103:16021 10.2.1.206:56586
ESTAB 0 0 192.168.119.103:16021 10.2.1.206:64653
ESTAB 0 0 192.168.119.103:16021 10.2.1.206:56587
[root@localhost ~]# Explain:
Example 13: Compare local or remote ports with one number
Order:
ss dport OP PORT
ss sport OP PORTOutput:
[root@localhost ~]# ss sport = :http
[root@localhost ~]# ss dport = :http
[root@localhost ~]# ss dport \> :1024
[root@localhost ~]# ss sport \> :1024
[root@localhost ~]# ss sport \< :32000
[root@localhost ~]# ss sport eq :22
[root@localhost ~]# ss dport != :22
[root@localhost ~]# ss state connected sport = :http
[root@localhost ~]# ss \( sport = :http or sport = :https \)
[root@localhost ~]# ss -o state fin-wait-1 \( sport = :http or sport = :https \) dst 192.168.1/24Explain:
ss dport OP PORT remote port and one number comparison; ss sport OP PORT local port and one number comparison.
OP may represent any of the following:
<= or le: less than or equal to the port number
>= or ge: greater than or equal to the port number
== or eq: equal to port number
!= or ne: Not equal to port number
<or gt: Less than port number
Orlt: greater than the port number
Example 14:ss and netstat efficiency comparison
Order:
time netstat -at
time ssOutput:
[root@localhost ~]# time ss
real 0m0.739s
user 0m0.019s
sys 0m0.013s
[root@localhost ~]#
[root@localhost ~]# time netstat -at
real 2m45.907s
user 0m0.063s
sys 0m0.067s
[root@localhost ~]#Explain:
The time command is used to obtain the time spent by using netstat and SS commands to obtain programs and profiles respectively. When the number of server connections is large, netstat is completely inefficient compared with ss.