Http://blog.lifeibo.com /? P = 244
In practice, skilled use of tools can improve our efficiency. Today, we will briefly understand how to use the SS tool. SS is the socket state, that is, you can view the status of the socket in the system. We can use netstat, but why should we use the SS tool? Of course, SS is also good. When we open a large number of sockets, netstat will become slow.
Let's take a look at the SS format:
- $ Ss [Options] [state-filter] [address-filter]
$ Ss [Options] [state-filter] [address-filter]
Options I picked it from the man manual:
-H-Show Help Page
-? -The same, of course
-V,-v-print version of SS and exit
-S-print summary statistics. this option does not parse socket lists obtaining summary from various sources. it is useful when amount of sockets is so huge that parsing/proc/NET/TCP is painful.
-D file-Do Not Display anything, just dump raw information about TCP sockets to file after applying filters. If file is-stdout is used.
-F file-read continuation of filter from file. Each line of file is interpreted like single command line option. If file is-stdin is used.
-R-try to resolve numeric address/Ports
-N-Do not try to resolve ports
-O-show some optional information, F. E. TCP timers
-I-show some infomration specific to TCP (RTO, congestion window, slow start threshoshould etc .)
-E-show even more optional information
-M-show extended information on memory used by the socket. It is available only with tcp_diag enabled.
-P-show list of processes owning the socket
-F family-default address family used for parsing addresses. also this option limits listing to sockets supporting given address family. currently the following families are supported: Unix, Inet, inet6, Link, Netlink.
-4-alias for-F inet
-6-alias for-F inet6
-0-alias for-F Link
-A list-of-tables-List of socket tables to dump, separated by commas. the following identifiers are understood: All, Inet, TCP, UDP, raw, UNIX, packet, Netlink, unix_dgram, unix_stream, packet_raw, packet_dgram.
-X-alias for-a Unix
-T-alias for-a TCP
-U-alias for-a UDP
-W-alias for-a raw
-A-show sockets of all the States. By default sockets in States listen, time-Wait, syn_recv and close are skipped.
-L-show only sockets in State listen
The strength of SS is that it can set filter conditions. We can filter based on the socket status, or through ports and IP addresses. That is, the State-filter and address-filter we see in the command format.
First, let's take a look at the available filtering conditions of State-filter and State-filter:
1. all TCP statuses, including: Established, syn-sent, syn-Recv, fin-wait-1, fin-wait-2, time-Wait, closed, close-wait, last-ack, listen and closing.
2. All, including all statuses.
3. Connected, except listen and closed.
4. synchronized, except for the status of all syn-sent connections.
5. Bucket
6. Big
For example:
- $ SS state connected
$ SS state connected
Let's look at address-filter, which is used to filter ports and addresses. Expression combinations are also supported. Available subexpressions include:
1. dst address_pattern
2. SRC address_pattern
3. dport relop Port
4. Sport relop Port
5. autobound
Here, address_pattern matches the IP address and port, and IP: port can be replaced. Relop is <= >=or =.
For example:
- $ Ss dst 192.168.0.1: 80
- $ SS dport = 80
$ Ss dst 192.168.0.1: 80 $ SS dport = 80
Multiple subexpressions can be combined. Of course, they can be combined with or and not, just like tcpdump. The brackets must be represented by escape characters.
For example:
- $ SS-o State fin-wait-1 \ (sport =: HTTP or sport =: https \) DST 193.233.7/24
$ SS-o State fin-wait-1 \ (sport =: HTTP or sport =: https \) DST 193.233.7/24
Let's look at several examples:
View the overall system information:
-
- $ SS-S
-
- Total: 85 (kernel 108)
-
- TCP: 15 (estab 4, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 12
-
-
- Transport total IP IPv6
-
- * 108 --
- Raw 0 0 0
-
- UDP 10 7 3
-
- TCP 15 12 3
-
- Inet 25 19 6
-
- Frag 0 0 0
$ SS-stotal: 85 (kernel 108) TCP: 15 (estab 4, closed 0, orphaned 0, synrecv 0, timewait 0/0 ), ports 12 Transport total IP IPv6 * 108--raw 0 0 0udp 10 7 3tcp 15 12 3 Inet 25 19 6 frag 0 0 0
To see who is using port 8088 of the current machine:
View plaincopy to clipboardprint?
-
- $ SS-lp src: 8088
-
- Recv-Q send-Q local address: P
- 0 0 *: 8ers :(("Nginx", 2942,5 ),("Nginx", 2943,5 ))
$ SS-lp src: 8088 Recv-Q send-Q local address: P0 0 *: 8ers :( ("nginx", 2942,5), ("nginx", 2943,5 ))
We can see that it is an nginx process with a process ID of 2942.
Of course, the lsof tool also makes it easier. Lsof-I: 80
Well, let's briefly introduce it here.