SS Utility: Quick Intro

Alexey Kuznetosv,

some_negative_number, 20 Sep 2001
ss is one another utility to investigate sockets. Functionally it is NOT better than netstat combined with some perl/awk scripts and though it is surely faster it is not enough to make it much better. :-) So, stop reading this now and do not waste your time. Well, certainly, it proposes some functionality, which current netstat is still not able to do, but surely will soon.

1. Why?

/proc interface is inadequate, unfortunately. When amount of sockets is enough large, netstat or even plain cat /proc/net/tcp/ cause nothing but pains and curses. In linux-2.4 the desease became worse: even if amount of sockets is small reading /proc/net/tcp/ is slow enough.

This utility presents a new approach, which is supposed to scale well. I am not going to describe technical details here and will concentrate on description of the command. The only important thing to say is that it is not so bad idea to load module tcp_diag, which can be found in directory Modules of iproute2. If you do not make this ss will work, but it falls back to /proc and becomes slow like netstat, well, a bit faster yet (see section "Some numbers").

2. Old news

In the simplest form ss is equivalent to netstat with some small deviations.

Option -o shows TCP timers state. Option -e shows some extended information. Etc. etc. etc. Seems, all the options of netstat related to sockets are supported. Though not AX.25 and other bizarres. :-) If someone wants, he can make support for decnet and ipx. Some rudimentary support for them is already present in iproute2 libutils, and I will be glad to see these new members.

However, standard functionality is a bit different:

The first: without option -a sockets in states TIME-WAIT and SYN-RECV are skipped too. It is more reasonable default, I think.

The second: format of UNIX sockets is different. It coincides with tcp/udp. Though standard kernel still does not allow to see write/read queues and peer address of connected UNIX sockets, the patch doing this exists.

The third: default is to dump only TCP sockets, rather than all of the types.

The next: by default it does not resolve numeric host addresses (like ip)! Resolving is enabled with option -r. Service names, usually stored in local files, are resolved by default. Also, if service database does not contain references to a port, ss queries system rpcbind. RPC services are prefixed with rpc. Resolution of services may be suppressed with option -n.

It does not accept "long" options (I dislike them, sorry). So, address family is given with family identifier following option -f to be algined to iproute2 conventions. Mostly, it is to allow option parser to parse addresses correctly, but as side effect it really limits dumping to sockets supporting only given family. Option -A followed by list of socket tables to dump is also supported. Logically, id of socket table is different of _address_ family, which is another point of incompatibility. So, id is one of all, tcp, udp, raw, inet, unix, packet, netlink. See? Well, inet is just abbreviation for tcp|udp|raw and it is not difficult to guess that packet allows to look at packet sockets. Actually, there are also some other abbreviations, f.e. unix_dgram selects only datagram UNIX sockets.

The next: well, I still do not know. :-)

3. Time to talk about new functionality.

It is builtin filtering of socket lists.

3.1 Filtering by state.

ss allows to filter socket states, using keywords state and exclude, followed by some state identifier.

State identifier are standard TCP state names (not listed, they are useless for you if you already do not know them) or abbreviations:

F.e. to dump all tcp sockets except SYN-RECV:

   ss exclude SYN-RECV

If neither state nor exclude directives are present, state filter defaults to all with option -a or to all, excluding listening, syn-recv, time-wait and closed sockets.

3.2 Filtering by addresses and ports.

Option list may contain address/port filter. It is boolean expression which consists of boolean operation or, and, not and predicates. Actually, all the flavors of names for boolean operations are eaten: &, &&, |, ||, !, but do not forget about special sense given to these symbols by unix shells and escape them correctly, when used from command line.

Predicates may be of the folowing kinds:

4. Examples

5. Returning to ground: real manual

5.1 Command arguments

General format of arguments to ss is:



OPTIONS is list of single letter options, using common unix conventions.


STATE-FILTER allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and exclude followed by identifier of state. Available identifiers are:


ADDRESS_FILTER is boolean expression with operations and, or and not, which can be abbreviated in C style f.e. as &, &&.

Predicates check socket addresses, both local and remote. There are the following kinds of predicates:

RELOP is some of <=, >=, == etc. To make this more convinient for use in unix shell, alphabetic FORTRAN-like notations le, gt etc. are accepted as well.

The format and semantics of ADDRESS_PATTERN depends on address family.

PORT is syntactically ADDRESS_PATTERN with wildcard address part. Certainly, it is undefined for UNIX sockets.

5.2 Environment variables

ss allows to change source of information using various environment variables:

Variable PROC_ROOT allows to change root of all the /proc/ hierarchy.

Variable TCPDIAG_FILE prescribes to open a file instead of requesting kernel to dump information about TCP sockets.

This option is used mainly to investigate bug reports, when dumps of files usually found in /proc/ are recevied by e-mail.

5.3 Output format

Six columns. The first is Netid, it denotes socket type and transport protocol, when it is ambiguous: tcp, udp, raw, u_str is abbreviation for unix_stream, u_dgr for UNIX datagram sockets, nl for netlink, p_raw and p_dgr for raw and datagram packet sockets. This column is optional, it will be hidden, if filter selects an unique netid.

The second column is State. Socket state is displayed here. The names are standard TCP names, except for UNCONN, which cannot happen for TCP, but normal for not connected sockets of another types. Again, this column can be hidden.

Then two columns (Recv-Q and Send-Q) showing amount of data queued for receive and transmit.

And the last two columns display local address and port of the socket and its peer address, if the socket is connected.

If options -o, -e or -p were given, options are displayed not in fixed positions but separated by spaces pairs: option:value. If value is not a single number, it is presented as list of values, enclosed to ( ... ) and separated with commas. F.e.

is typical format for TCP timer (option -o).

is typical for list of users (option -p).

6. Some numbers

Well, let us use pidentd and a tool ibench to measure its performance. It is 30 requests per second here. Nothing to test, it is too slow. OK, let us patch pidentd with patch from directory Patches. After this it handles about 4300 requests per second and becomes handy tool to pollute socket tables with lots of timewait buckets.

So, each test starts from pollution tables with 30000 sockets and then doing full dump of the table piped to wc and measuring timings with time:


No comments. Though one comment is necessary, most of time without tcp_diag is wasted inside kernel with completely blocked networking. More than 10 seconds, yes. tcp_diag does the same work for 100 milliseconds of system time.