Linux命令
linux下man帮助对ss的描述是:
NAME ss - another utility to investigate sockets
SYNOPSIS ss [options] [ FILTER ]
DESCRIPTION ss is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state informations than other tools.
ss是一个另外一个对socket查看的工具,ss 用于转储套接字统计信息。 它允许显示类似于 netstat 的信息。 它可以显示比其他工具更多的 TCP 和状态信息。
主要的参数说明有:
PTIONS
When no option is used ss displays a list of open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection.
-h, --help
Show summary of options.
-V, --version
Output version information.
-H, --no-header
Suppress header line.
-n, --numeric
Do not try to resolve service names. # 不解析域名
-r, --resolve
Try to resolve numeric address/ports.
-a, --all # 显示所有信息
Display both listening and non-listening (for TCP this means established connections) sockets.
-l, --listening # 只显示正在监听的socket
Display only listening sockets (these are omitted by default).
-o, --options
Show timer information. For tcp protocol, the output format is:
timer:(<timer_name>,<expire_time>,<retrans>)
<timer_name>
the name of the timer, there are five kind of timer names:
on: means one of these timers: tcp retrans timer, tcp early retrans timer and tail loss probe timer
keepalive: tcp keep alive timer
timewait: timewait stage timer
persist: zero window probe timer
unknown: none of the above timers
<expire_time>
how long time the timer will expire
<retrans>
how many times the retran occurs
-e, --extended
Show detailed socket information. The output format is:
<rcv_buf>
the total memory can be allocated for receiving packet
<wmem_alloc>
the memory used for sending packet (which has been sent to layer 3)
<snd_buf>
the total memory can be allocated for sending packet
<fwd_alloc>
the memory allocated by the socket as cache, but not used for receiving/sending packet yet. If need memory to send/receive packet, the memory in this cache will
be used before allocate additional memory.
<wmem_queued>
The memory allocated for sending packet (which has not been sent to layer 3)
<opt_mem>
The memory used for storing socket option, e.g., the key for TCP MD5 signature
<back_log>
The memory used for the sk backlog queue. On a process context, if the process is receiving packet, and a new packet is received, it will be put into the sk
backlog queue, so it can be received by the process immediately
-p, --processes # 显示进程
Show process using socket.
-i, --info
Show internal TCP information. Below fields may appear:
ts show string "ts" if the timestamp option is set
sack show string "sack" if the sack option is set
ecn show string "ecn" if the explicit congestion notification option is set
ecnseen
show string "ecnseen" if the saw ecn flag is found in received packets
fastopen
show string "fastopen" if the fastopen option is set
rtt is the average round trip time, rttvar is the mean deviation of rtt, their units are millisecond
ato:<ato>
ack timeout, unit is millisecond, used for delay ack mode
mss:<mss>
max segment size
cwnd:<cwnd>
congestion window size
pmtu:<pmtu>
path MTU value
ssthresh:<ssthresh>
tcp congestion window slow start threshold
bytes_acked:<bytes_acked>
bytes acked
bytes_received:<bytes_received>
bytes received
segs_out:<segs_out>
segments sent out
segs_in:<segs_in>
segments received
send <send_bps>bps
egress bps
lastsnd:<lastsnd>
how long time since the last packet sent, the unit is millisecond
lastrcv:<lastrcv>
how long time since the last packet received, the unit is millisecond
lastack:<lastack>
how long time since the last ack received, the unit is millisecond
pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
the pacing rate and max pacing rate
rcv_space:<rcv_space>
a helper variable for TCP internal auto tuning socket receive buffer
-K, --kill
Attempts to forcibly close sockets. This option displays sockets that are successfully closed and silently skips sockets that the kernel does not support closing. It
supports IPv4 and IPv6 sockets only.
-s, --summary
Print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing
/proc/net/tcp is painful.
-Z, --context
As the -p option but also shows process security context.
For netlink(7) sockets the initiating process context is displayed as follows:
1. If valid pid show the process context.
-d, --dccp
Display DCCP sockets.
-w, --raw
Display RAW sockets.
-x, --unix
Display Unix domain sockets (alias for -f unix).
-S, --sctp
Display SCTP sockets.
--vsock
Display vsock sockets (alias for -f vsock).
-f FAMILY, --family=FAMILY
Display sockets of type FAMILY. Currently the following families are supported: unix, inet, inet6, link, netlink, vsock.
-A QUERY, --query=QUERY, --socket=QUERY
List of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream,
unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram.
-D FILE, --diag=FILE
Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used.
-F FILE, --filter=FILE
Read filter information from FILE. Each line of FILE is interpreted like single command line option. If FILE is - stdin is used.
FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
Please take a look at the official documentation for details regarding filters.
示例
显示所有tcp连接
ss -t -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:6379 *:*
LISTEN 0 128 *:http *:*
LISTEN 0 128 *:9520 *:*
LISTEN 0 128 *:9521 *:*
LISTEN 0 9 *:ftp *:*
SYN-RECV 0 0 192.168.1.248:ftp 175.100.191.221:ftp
SYN-RECV 0 0 192.168.1.248:ftp 103.144.31.105:ftp
显示所有udp连接
ss -u -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:40576 *:*
UNCONN 0 0 *:bootpc *:*
UNCONN 0 0 127.0.0.1:323 *:*
UNCONN 0 0 ::1:323 :::*
列出已建立的连接
默认情况下,如果我们运行ss命令而没有指定其他选项,它将显示所有已建立连接的打开的非侦听套接字的列表,例如TCP,UDP或UNIX套接字
ss | head -n 5
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket -805493232 * -805493994
u_str ESTAB 0 0 * 18208 * 0
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 19650 * 20483
u_str ESTAB 0 0 * -803799086 * -803794457
显示监听套接字
使用-l选项专门列出当前正在侦听连接的套接字,而不是列出所有的套接字
ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:6379 *:*
LISTEN 0 128 *:http *:*
LISTEN 0 128 *:9520 *:*
LISTEN 0 128 *:9521 *:*
LISTEN 0 9 *:ftp *:*
LISTEN 0 128 *:https *:*
LISTEN 0 128 *:20033 *:*
LISTEN 0 128 :::6379 :::*
LISTEN 0 9 :::ftp :::*
显示进程
用-p选项打印出拥有套接字的进程或PID号
ss -pl
不解析服务器名称
默认情况下,ss只会解析端口号
ss -n
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket -805493232 * -805493994
u_str ESTAB 0 0 * 18208 * 0
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 19650 * 20483
u_str ESTAB 0 0 * -803799086 * -803794457
u_str ESTAB 0 0 * 2106827963 * 2106827962