ssis one another utility to investigate sockets. Functionally it is NOT better than
netstatcombined with some perl/awk scripts and though it is surely faster it is not enough to make it much better. :-) So, stop reading this now and do not waste your time. Well, certainly, it proposes some functionality, which current netstat is still not able to do, but surely will soon.
/proc interface is inadequate, unfortunately.
When amount of sockets is enough large,
netstat or even
cat /proc/net/tcp/ cause nothing but pains and curses.
In linux-2.4 the desease became worse: even if amount
of sockets is small reading
/proc/net/tcp/ is slow enough.
This utility presents a new approach, which is supposed to scale
well. I am not going to describe technical details here and
will concentrate on description of the command.
The only important thing to say is that it is not so bad idea
to load module
tcp_diag, which can be found in directory
iproute2. If you do not make this
will work, but it falls back to
/proc and becomes slow
netstat, well, a bit faster yet (see section "Some numbers").
In the simplest form
ss is equivalent to netstat
with some small deviations.
ss -t -adumps all TCP sockets
ss -u -adumps all UDP sockets
ss -w -adumps all RAW sockets
ss -x -adumps all UNIX sockets
-o shows TCP timers state.
-e shows some extended information.
Etc. etc. etc. Seems, all the options of netstat related to sockets
are supported. Though not AX.25 and other bizarres. :-)
If someone wants, he can make support for decnet and ipx.
Some rudimentary support for them is already present in iproute2 libutils,
and I will be glad to see these new members.
However, standard functionality is a bit different:
The first: without option
-a sockets in states
SYN-RECV are skipped too.
It is more reasonable default, I think.
The second: format of UNIX sockets is different. It coincides with tcp/udp. Though standard kernel still does not allow to see write/read queues and peer address of connected UNIX sockets, the patch doing this exists.
The third: default is to dump only TCP sockets, rather than all of the types.
The next: by default it does not resolve numeric host addresses (like
Resolving is enabled with option
-r. Service names, usually stored
in local files, are resolved by default. Also, if service database
does not contain references to a port,
ss queries system
rpcbind. RPC services are prefixed with
Resolution of services may be suppressed with option
It does not accept "long" options (I dislike them, sorry).
So, address family is given with family identifier following
-f to be algined to iproute2 conventions.
Mostly, it is to allow option parser to parse
addresses correctly, but as side effect it really limits dumping
to sockets supporting only given family. Option
by list of socket tables to dump is also supported.
Logically, id of socket table is different of _address_ family, which is
another point of incompatibility. So, id is one of
inet is just abbreviation for
and it is not difficult to guess that
to look at packet sockets. Actually, there are also some other abbreviations,
unix_dgram selects only datagram UNIX sockets.
The next: well, I still do not know. :-)
It is builtin filtering of socket lists.
ss allows to filter socket states, using keywords
exclude, followed by some state
State identifier are standard TCP state names (not listed, they are useless for you if you already do not know them) or abbreviations:
all- for all the states
bucket- for TCP minisockets (
big- all except for minisockets
connected- not closed and not listening
synchronized- connected and not
F.e. to dump all tcp sockets except
ss exclude SYN-RECV
state filter defaults to
all with option
excluding listening, syn-recv, time-wait and closed sockets.
Option list may contain address/port filter.
It is boolean expression which consists of boolean operation
not and predicates.
Actually, all the flavors of names for boolean operations are eaten:
!, but do not forget
about special sense given to these symbols by unix shells and escape
them correctly, when used from command line.
Predicates may be of the folowing kinds:
Both prefix and port may be absent or replaced with
dst prefix:port src prefix:port src unix:STRING src link:protocol:ifindex src nl:channel:pid
*, which means wildcard. UNIX socket use more powerful scheme matching to socket names by shell wildcards. Also, prefixes unix: and link: may be omitted, if address family is evident from context (with option
-f unixor with
are equivalent and mean socket connected to any port on host 10.0.0.1
dst 10.0.0.1 dst 10.0.0.1: dst 10.0.0.1/32: dst 10.0.0.1:*
sockets connected to port 22 on network 10.0.0.0...255.
Note that port separated of address with colon, which creates troubles with IPv6 addresses. Generally, we interpret the last colon as splitting port. To allow to give IPv6 addresses, trick like used in IPv6 HTTP URLs may be used:
are sockets connected to ::1 on any port
Another way is
dst ::1128/. / helps to understand that
colon is part of IPv6 address.
Now we can add another alias for
dst [10.0.0.1]. :-)
Address may be a DNS name. In this case all the addresses are looked
up (in all the address families, if it is not limited by option
or special address prefix
inet6) and resulting
or over all of them.
etc. All the relations:
dport >= :1024 dport != :22 sport < :32000
ne... Use variant which you like more, but not forget to escape special characters when typing them in command line. :-) Note that port number syntactically coincides to the case A! You may even add an IP address, but it will not participate incomparison, except for
!=, which are equivalent to corresponding predicates of type A. F.e.
is equivalent to
dport eq 10.0.0.1:22
not dst 10.0.0.1:22 is equivalent to
dport neq 10.0.0.1:22
autobound. It matches to sockets bound automatically on local system.
FIN-WAIT-1for our apache to network 193.233.7/24 and look at their timers:
Oops, forgot to say that missing logical operation is equivalent to
ss -o state fin-wait-1 \( sport = :http or sport = :https \) \ dst 193.233.7/24
Note that we have to do _two_ calls of ss to do this. State match is always anded to address/port match. The reason for this is purely technical: ss does fast skip of not matching states before parsing addresses and I consider the ability to skip fastly gobs of time-wait and syn-recv sockets as more important than logical generality.
ss -o excl fin-wait-1 ss state fin-wait-1 \( sport neq :http and sport neq :https \) \ or not dst 193.233.7/24
ss -a -A all autobound
Pardon, this does not work with current kernel, patching is required. But we still can look at server side:
ss -xp dst "/tmp/.X11-unix/*"
ss -x src "/tmp/.X11-unix/*"
General format of arguments to
ss [ OPTIONS ] [ STATE-FILTER ] [ ADDRESS-FILTER ]
OPTIONS is list of single letter options, using common unix
-h- show help page
-?- the same, of course
-V- print version of
-s- print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing
-D FILE- do not display anything, just dump raw information about TCP sockets to
FILEafter applying filters. If
-F FILE- read continuation of filter from
FILE. Each line of
FILEis interpreted like single command line option. If
-r- try to resolve numeric address/ports
-n- do not try to resolve ports
-o- show some optional information, f.e. TCP timers
-i- show some infomration specific to TCP (RTO, congestion window, slow start threshould etc.)
-e- show even more optional information
-m- show extended information on memory used by the socket. It is available only with
-p- show list of processes owning the socket
-f FAMILY- default address family used for parsing addresses. Also this option limits listing to sockets supporting given address family. Currently the following families are supported:
-4- alias for
-6- alias for
-0- alias for
-A LIST-OF-TABLES- list of socket tables to dump, separated by commas. The following identifiers are understood:
-x- alias for
-t- alias for
-u- alias for
-w- alias for
-a- show sockets of all the states. By default sockets in states
-l- show only sockets in state
STATE-FILTER allows to construct arbitrary set of
states to match. Its syntax is sequence of keywords
exclude followed by identifier of state.
Available identifiers are:
all- for all the states
connected- all the states except for
synchronized- all the
connectedstates except for
bucket- states, which are maintained as minisockets, i.e.
big- opposite to
ADDRESS_FILTER is boolean expression with operations
not, which can be abbreviated in C style f.e. as
Predicates check socket addresses, both local and remote. There are the following kinds of predicates:
dst ADDRESS_PATTERN- matches remote address and port
src ADDRESS_PATTERN- matches local address and port
dport RELOP PORT- compares remote port to a number
sport RELOP PORT- compares local port to a number
autobound- checks that socket is bound to an ephemeral port
RELOP is some of
To make this more convinient for use in unix shell, alphabetic
gt etc. are accepted as well.
The format and semantics of
ADDRESS_PATTERN depends on address
ADDRESS_PATTERNconsists of IP prefix, optionally followed by colon and port. If prefix or port part is absent or replaced with
*, this means wildcard match.
inet6- The same as
inet, only prefix refers to an IPv6 address. Unlike
inetcolon becomes ambiguous, so that
ssallows to use scheme, like used in URLs, where address is suppounded with
ADDRESS_PATTERNis shell-style wildcard.
packet- format looks like
inet, only interface index stays instead of port and link layer protocol id instead of address.
netlink- format looks like
inet, only socket pid stays instead of port and netlink channel instead of address.
PORT is syntactically
ADDRESS_PATTERN with wildcard
address part. Certainly, it is undefined for UNIX sockets.
ss allows to change source of information using various
PROC_ROOT allows to change root of all the
TCPDIAG_FILE prescribes to open a file instead of
requesting kernel to dump information about TCP sockets.
This option is used mainly to investigate bug reports,
when dumps of files usually found in
/proc/ are recevied
Six columns. The first is
Netid, it denotes socket type and
transport protocol, when it is ambiguous:
u_str is abbreviation for
u_dgr for UNIX
nl for netlink,
raw and datagram packet sockets. This column is optional, it will
be hidden, if filter selects an unique netid.
The second column is
State. Socket state is displayed here.
The names are standard TCP names, except for
cannot happen for TCP, but normal for not connected sockets
of another types. Again, this column can be hidden.
Then two columns (
Send-Q) showing amount of data
queued for receive and transmit.
And the last two columns display local address and port of the socket and its peer address, if the socket is connected.
-p were given, options are
displayed not in fixed positions but separated by spaces pairs:
option:value. If value is not a single number, it is presented
as list of values, enclosed to
) and separated with
is typical format for TCP timer (option
is typical for list of users (option
Well, let us use
pidentd and a tool
ibench to measure
its performance. It is 30 requests per second here. Nothing to test,
it is too slow. OK, let us patch pidentd with patch from directory
Patches. After this it handles about 4300 requests per second
and becomes handy tool to pollute socket tables with lots of timewait
So, each test starts from pollution tables with 30000 sockets and then doing full dump of the table piped to wc and measuring timings with time:
netstat -at- 15.6 seconds
ss -atr, but without
tcp_diag- 5.4 seconds
tcp_diag- 0.47 seconds
No comments. Though one comment is necessary, most of time
tcp_diag is wasted inside kernel with completely
blocked networking. More than 10 seconds, yes.
does the same work for 100 milliseconds of system time.