Detailed explanation of ss commands in linux commands (obtain socket statistics)

The ss command can be used to obtain socket statistics. it can display content similar to netstat. The following are detailed instructions and examples.

Ss is short for Socket Statistics. As the name suggests, the ss command can be used to obtain socket statistics, which can display content similar to netstat. But the advantage of ss is that it can display more detailed information about TCP and connection status, and is faster and more efficient than netstat. When the number of socket connections on the server becomes very large, the execution speed will be very slow, whether using the netstat command or directly cat/proc/net/tcp. You may not feel it, but believe me, when the number of connections maintained by the server reaches tens of thousands, using netstat is a waste of life, while using ss is a time-saving. The only thing that can do is to be successful. The secret of ss is that it uses tcp_diag in the TCP protocol stack. Tcp_diag is a module used to analyze statistics and obtain first-hand information in the Linux kernel, which ensures the efficiency and efficiency of ss. Of course, if you do not have tcp_diag in your system, the ss can also run normally, but the efficiency will be slightly slower. (But it is still faster than netstat .)

1. command format:
Ss [Parameters]
Ss [parameter] [filter]

2. command functions:
The ss (short for Socket Statistics) command can be used to obtain socket Statistics. The result output by this command is similar to that output by netstat, however, it can display more detailed TCP connection status information and is faster and more efficient than netstat. It uses tcp_diag (a module used for analysis and statistics) in the TCP protocol stack to directly obtain first-hand kernel information, which makes the ss command fast and efficient. In the absence of tcp_diag, the ss can also run normally.

3. command parameters:
-H, -- help information
-V, -- version program version information
-N, -- numeric does not parse the service name
-R, -- resolve DNS host name
-A, -- all: display all sockets (sockets)
-L, -- listening: socket (sockets) that displays the listening status)
-O, -- options: display timer information
-E, -- extended: displays detailed socket (sockets) information.
-M, -- memory: displays the memory usage of the socket.
-P, -- processes: displays the processes using sockets.
-I, -- info displays TCP internal information
-S, -- summary Display socket usage overview
-4, -- ipv4 only displays IPv4 socket (sockets)
-6, -- ipv6 only displays the IPv6 socket (sockets)
-0, -- packet display PACKET socket (socket)
-T, -- tcp only displays TCP socket (sockets)
-U, -- udp only displays UCP socket (sockets)
-D, -- dccp only displays DCCP socket (sockets)
-W, -- raw only displays RAW sockets (sockets)
-X, -- unix only displays Unix sockets (sockets)
-F, -- family = FAMILY: displays the socket (sockets) of the FAMILY type. FAMILY is optional. it supports unix, inet, inet6, link, and netlink.
-A, -- query = QUERY, -- socket = QUERY
QUERY: = {all | inet | tcp | udp | raw | unix | packet | netlink} [, QUERY]
-D, -- diag = FILE dumps the original TCP socket (sockets) information to the FILE
-F, -- filter = FILE: filter information from the FILE
FILTER: = [state TCP-STATE] [EXPRESSION]

4. example:
Instance 1: Display TCP connections
Command: ss-t-
Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-t-
State Recv-Q Send-Q Local Address: Port Peer Address: Port
LISTEN 0 0 127.0.0.1: smux *:*
LISTEN 0 0 *: 3690 *:*
LISTEN 0 0 *: ssh *:*
ESTAB 0 0 192.168.120.204: ssh 10.2.0.68: 49368
[Root @ localhost ~] #

Example 2: show Sockets summary
Command: ss-s
Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-s
Total: 34 (kernel 48)
TCP: 4 (estab 1, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 3

Transport Total IP IPv6
* 48 --
RAW 0 0 0
UDP 5 5 0
TCP 4 4 0
INET 9 9 0
FRAG 0 0 0
[Root @ localhost ~] #

: Lists the current established, closed, orphaned and waiting TCP sockets.

Instance 3: list all open network connection ports
Command: ss-l
Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-l
Recv-Q Send-Q Local Address: Port Peer Address: Port
0 0 127.0.0.1: smux *:*
0 0 *: 3690 *:*
0 0 *: ssh *:*
[Root @ localhost ~] #

Instance 4: view the socket used by the process
Command: ss-pl
Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-pl
Recv-Q Send-Q Local Address: Port Peer Address: Port
0 0 127.0.0.1: smux *: * users :( ("snmpd", 2716,8 ))
0 0 *: 3690 *: * users :( ("svnserve", 3590,3 ))
0 0 *: ssh *: * users :( ("sshd", 2735,3 ))
[Root @ localhost ~] #

Instance 5: Find the socket/Port application
Command: ss-lp | grep 3306
Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-lp | grep 1935
0 0 *: 1935 *: * users :( ("fmsedge", 2913,18 ))
0 0 127.0.0.1: 19350 *: * users :( ("fmsedge", 2913,17 ))
[Root @ localhost ~] # Ss-lp | grep 3306
0 0 *: 3306 *: * users :( ("mysqld", 2871,10 ))
[Root @ localhost ~] #

Instance 6: display all UDP Sockets
Command: ss-u-
Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-u-
State Recv-Q Send-Q Local Address: Port Peer Address: Port
UNCONN 0 0 127.0.0.1: syslog *:*
UNCONN 0 0 *: snmp *:*
ESTAB 0 0 192.168.120.203: 39641 10.58.119.119: domain
[Root @ localhost ~] #

Instance 7: displays all SMTP connections in the "established" status.
Command: ss-o state established '(dport =: smtp or sport =: smtp )'
Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-o state established '(dport =: smtp or sport =: smtp )'
Recv-Q Send-Q Local Address: Port Peer Address: Port
[Root @ localhost ~] #

Instance 8: displays all HTTP connections in the Established status.
Command: ss-o state established '(dport =: http or sport =: http )'
Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-o state established '(dport =: http or sport =: http )'
Recv-Q Send-Q Local Address: Port Peer Address: Port
0 0 75.126.153.214: 2164 192.168.10.42: http
[Root @ localhost ~] #

Instance 9: lists all tcp sockets from the source port 80 or 443 in the FIN-WAIT-1 status and the target network is 193.233.7/24.
Command: ss-o state fin-wait-1 '(sport =: http or sport =: https) 'dst 193.233.7/24

Instance 10: filter Sockets with TCP status:
Command:

Copy codeThe code is as follows:
Ss-4 state FILTER-NAME-HERE
Ss-6 state FILTER-NAME-HERE

Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss-4 state closing
Recv-Q Send-Q Local Address: Port Peer Address: Port
1 11094 75.126.153.214: http 192.168.10.42: 4669

Note:
FILTER-NAME-HERE can represent any of the following:

Copy codeThe code is as follows:
Established
Syn-sent
Syn-recv
Fin-wait-1
Fin-wait-2
Time-wait
Closed
Close-wait
Last-ack
Listen
Closing
All: all or more statuses
Connected: all statuses except listen and closed
Synchronized: all connected states except syn-sent
Bucket: The display status is maintained as minisockets, such as time-wait and syn-recv.
Big: opposite to bucket.

Instance 11: match the remote address and port number
Command:

Copy codeThe code is as follows:
Ss dst ADDRESS_PATTERN
Ss dst 192.168.1.5
Ss dst 192.168.119.113: http
Ss dst 192.168.119.113: smtp
Ss dst 192.168.119.113: 443

Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss dst 192.168.119.113
State Recv-Q Send-Q Local Address: Port Peer Address: Port
ESTAB 0 0 192.168.119.103: 16014 192.168.119.1113: 20229
ESTAB 0 0 192.168.119.103: 16014 192.168.119.1113: 61056
ESTAB 0 0 192.168.119.103: 16014 192.168.119.1113: 61623
ESTAB 0 0 192.168.119.103: 16014 192.168.119.1113: 60924
ESTAB 0 0 192.168.119.103: 16050 192.168.119.1113: 43701
ESTAB 0 0 192.168.119.103: 16073 192.168.119.1113: 32930
ESTAB 0 0 192.168.119.103: 16073 192.168.119.1113: 49318
ESTAB 0 0 192.168.119.103: 16014 192.168.119.1113: 3844
[Root @ localhost ~] # Ss dst 192.168.119.113: http
State Recv-Q Send-Q Local Address: Port Peer Address: Port
[Root @ localhost ~] # Ss dst 192.168.119.113: 3844
State Recv-Q Send-Q Local Address: Port Peer Address: Port
ESTAB 0 0 192.168.119.103: 16014 192.168.119.1113: 3844
[Root @ localhost ~] #

Instance 12: match the local address and port number
Command:

Copy codeThe code is as follows:
Ss src ADDRESS_PATTERN
Ss src 192.168.119.103
Ss src 192.168.119.103: http
Ss src 192.168.119.103: 80
Ss src 192.168.119.103: smtp
Ss src 192.168.119.103: 25

Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss src 192.168.119.103: 16021
State Recv-Q Send-Q Local Address: Port Peer Address: Port
ESTAB 0 0 192.168.119.103: 16021 192.168.119.201: 63054
ESTAB 0 0 192.168.119.103: 16021 192.168.119.201: 62894
ESTAB 0 0 192.168.119.103: 16021 192.168.119.201: 63055
ESTAB 0 0 192.168.119.103: 16021 192.168.119.201: 2274
ESTAB 0 0 192.168.119.103: 16021 192.168.119.201: 44784
ESTAB 0 0 192.168.119.103: 16021 192.168.119.201: 7233
ESTAB 0 0 192.168.119.103: 16021 192.168.119.103: 58660
ESTAB 0 0 192.168.119.103: 16021 192.168.119.201: 44822
ESTAB 0 0 192.168.119.103: 16021 10.2.1.206: 56737
ESTAB 0 0 192.168.119.103: 16021 10.2.1.206: 57487
ESTAB 0 0 192.168.119.103: 16021 10.2.1.206: 56736
ESTAB 0 0 192.168.119.103: 16021 10.2.1.206: 64652
ESTAB 0 0 192.168.119.103: 16021 10.2.1.206: 56586
ESTAB 0 0 192.168.119.103: 16021 10.2.1.206: 64653
ESTAB 0 0 192.168.119.103: 16021 10.2.1.206: 56587
[Root @ localhost ~] #

Instance 13: compare the local or remote ports with the number
Command:

Copy codeThe code is as follows:
Ss dport OP PORT
Ss sport OP PORT

Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Ss sport =: http
[Root @ localhost ~] # Ss dport =: http
[Root @ localhost ~] # Ss dport>: 1024
[Root @ localhost ~] # Ss sport>: 1024
[Root @ localhost ~] # Ss sport \ & lt;: 32000
[Root @ localhost ~] # Ss sport eq: 22
[Root @ localhost ~] # Ss dport! =: 22
[Root @ localhost ~] # Ss state connected sport =: http
[Root @ localhost ~] # Ss \ (sport =: http or sport =: https \)
[Root @ localhost ~] # Ss-o state fin-wait-1 \ (sport =: http or sport =: https \) dst 192.168.1/24

Note:
Comparison between the remote PORT and number of ss dport OP ports; comparison between the local PORT and number of ss sport OP ports.
OP can represent any of the following:
<= Or le: less than or equal to the port number
> = Or ge: greater than or equal to the port number
= Or eq: equal to the port number
! = Or ne: not equal to the port number
<Or gt: smaller than the port number
> Or lt: greater than the port number

Instance 14: Comparison of ss and netstat efficiency
Command:

Copy codeThe code is as follows:
Time netstat-
Time ss

Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Time ss
Real 0m0. 739 s
User 0m0. 019 s
Sys 0m0. 013 s
[Root @ localhost ~] #
[Root @ localhost ~] # Time netstat-
Real 2m45. 907 s
User 0m0. 063 s
Sys 0m0. 067 s
[Root @ localhost ~] #

Note:
Use the time command to obtain the time used by the program and the summary resource by using the netstat and ss commands respectively. When the number of server connections is large, the efficiency of netstat cannot be compared with that of ss.