| .TH SS 8 |
| .SH NAME |
| ss \- another utility to investigate sockets |
| .SH SYNOPSIS |
| .B ss |
| .RI [ options ] " [ FILTER ]" |
| .SH DESCRIPTION |
| .B ss |
| is used to dump socket statistics. It allows showing information similar |
| to |
| .IR netstat . |
| It can display more TCP and state information than other tools. |
| |
| .SH OPTIONS |
| When no option is used ss displays a list of open non-listening |
| sockets (e.g. TCP/UNIX/UDP) that have established connection. |
| .TP |
| .B \-h, \-\-help |
| Show summary of options. |
| .TP |
| .B \-V, \-\-version |
| Output version information. |
| .TP |
| .B \-H, \-\-no-header |
| Suppress header line. |
| .TP |
| .B \-O, \-\-oneline |
| Print each socket's data on a single line. |
| .TP |
| .B \-n, \-\-numeric |
| Do not try to resolve service names. Show exact bandwidth values, instead of human-readable. |
| .TP |
| .B \-r, \-\-resolve |
| Try to resolve numeric address/ports. |
| .TP |
| .B \-a, \-\-all |
| Display both listening and non-listening (for TCP this means |
| established connections) sockets. |
| .TP |
| .B \-l, \-\-listening |
| Display only listening sockets (these are omitted by default). |
| .TP |
| .B \-o, \-\-options |
| Show timer information. For TCP protocol, the output format is: |
| .RS |
| .P |
| timer:(<timer_name>,<expire_time>,<retrans>) |
| .P |
| .TP |
| .B <timer_name> |
| the name of the timer, there are five kind of timer names: |
| .RS |
| .P |
| .B on |
| : means one of these timers: TCP retrans timer, TCP early retrans |
| timer and tail loss probe timer |
| .P |
| .BR keepalive ": tcp keep alive timer" |
| .P |
| .BR timewait ": timewait stage timer" |
| .P |
| .BR persist ": zero window probe timer" |
| .P |
| .BR unknown ": none of the above timers" |
| .RE |
| .TP |
| .B <expire_time> |
| how long time the timer will expire |
| .P |
| .TP |
| .B <retrans> |
| how many times the retransmission occured |
| .RE |
| .TP |
| .B \-e, \-\-extended |
| Show detailed socket information. The output format is: |
| .RS |
| .P |
| uid:<uid_number> ino:<inode_number> sk:<cookie> |
| .P |
| .TP |
| .B <uid_number> |
| the user id the socket belongs to |
| .P |
| .TP |
| .B <inode_number> |
| the socket's inode number in VFS |
| .P |
| .TP |
| .B <cookie> |
| an uuid of the socket |
| .RE |
| .TP |
| .B \-m, \-\-memory |
| Show socket memory usage. The output format is: |
| .RS |
| .P |
| skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>, |
| .br |
| .RS |
| .RS |
| f<fwd_alloc>,w<wmem_queued>,o<opt_mem>, |
| .RE |
| .RE |
| .br |
| .RS |
| .RS |
| bl<back_log>,d<sock_drop>) |
| .RE |
| .RE |
| .P |
| .TP |
| .B <rmem_alloc> |
| the memory allocated for receiving packet |
| .P |
| .TP |
| .B <rcv_buf> |
| the total memory can be allocated for receiving packet |
| .P |
| .TP |
| .B <wmem_alloc> |
| the memory used for sending packet (which has been sent to layer 3) |
| .P |
| .TP |
| .B <snd_buf> |
| the total memory can be allocated for sending packet |
| .P |
| .TP |
| .B <fwd_alloc> |
| the memory allocated by the socket as cache, but not used for |
| receiving/sending packet yet. If need memory to send/receive packet, |
| the memory in this cache will be used before allocate additional |
| memory. |
| .P |
| .TP |
| .B <wmem_queued> |
| The memory allocated for sending packet (which has not been sent to layer 3) |
| .P |
| .TP |
| .B <ropt_mem> |
| The memory used for storing socket option, e.g., the key for TCP MD5 signature |
| .P |
| .TP |
| .B <back_log> |
| The memory used for the sk backlog queue. On a process context, if the |
| process is receiving packet, and a new packet is received, it will be |
| put into the sk backlog queue, so it can be received by the process |
| immediately |
| .P |
| .TP |
| .B <sock_drop> |
| the number of packets dropped before they are de-multiplexed into the socket |
| .RE |
| .TP |
| .B \-p, \-\-processes |
| Show process using socket. |
| .TP |
| .B \-i, \-\-info |
| Show internal TCP information. Below fields may appear: |
| .RS |
| .P |
| .TP |
| .B ts |
| show string "ts" if the timestamp option is set |
| .P |
| .TP |
| .B sack |
| show string "sack" if the sack option is set |
| .P |
| .TP |
| .B ecn |
| show string "ecn" if the explicit congestion notification option is set |
| .P |
| .TP |
| .B ecnseen |
| show string "ecnseen" if the saw ecn flag is found in received packets |
| .P |
| .TP |
| .B fastopen |
| show string "fastopen" if the fastopen option is set |
| .P |
| .TP |
| .B cong_alg |
| the congestion algorithm name, the default congestion algorithm is "cubic" |
| .P |
| .TP |
| .B wscale:<snd_wscale>:<rcv_wscale> |
| if window scale option is used, this field shows the send scale factor |
| and receive scale factor |
| .P |
| .TP |
| .B rto:<icsk_rto> |
| tcp re-transmission timeout value, the unit is millisecond |
| .P |
| .TP |
| .B backoff:<icsk_backoff> |
| used for exponential backoff re-transmission, the actual |
| re-transmission timeout value is icsk_rto << icsk_backoff |
| .P |
| .TP |
| .B rtt:<rtt>/<rttvar> |
| rtt is the average round trip time, rttvar is the mean deviation of |
| rtt, their units are millisecond |
| .P |
| .TP |
| .B ato:<ato> |
| ack timeout, unit is millisecond, used for delay ack mode |
| .P |
| .TP |
| .B mss:<mss> |
| max segment size |
| .P |
| .TP |
| .B cwnd:<cwnd> |
| congestion window size |
| .P |
| .TP |
| .B pmtu:<pmtu> |
| path MTU value |
| .P |
| .TP |
| .B ssthresh:<ssthresh> |
| tcp congestion window slow start threshold |
| .P |
| .TP |
| .B bytes_acked:<bytes_acked> |
| bytes acked |
| .P |
| .TP |
| .B bytes_received:<bytes_received> |
| bytes received |
| .P |
| .TP |
| .B segs_out:<segs_out> |
| segments sent out |
| .P |
| .TP |
| .B segs_in:<segs_in> |
| segments received |
| .P |
| .TP |
| .B send <send_bps>bps |
| egress bps |
| .P |
| .TP |
| .B lastsnd:<lastsnd> |
| how long time since the last packet sent, the unit is millisecond |
| .P |
| .TP |
| .B lastrcv:<lastrcv> |
| how long time since the last packet received, the unit is millisecond |
| .P |
| .TP |
| .B lastack:<lastack> |
| how long time since the last ack received, the unit is millisecond |
| .P |
| .TP |
| .B pacing_rate <pacing_rate>bps/<max_pacing_rate>bps |
| the pacing rate and max pacing rate |
| .P |
| .TP |
| .B rcv_space:<rcv_space> |
| a helper variable for TCP internal auto tuning socket receive buffer |
| .RE |
| .TP |
| .B \-\-tos |
| Show ToS and priority information. Below fields may appear: |
| .RS |
| .P |
| .TP |
| .B tos |
| IPv4 Type-of-Service byte |
| .P |
| .TP |
| .B tclass |
| IPv6 Traffic Class byte |
| .P |
| .TP |
| .B class_id |
| Class id set by net_cls cgroup. If class is zero this shows priority |
| set by SO_PRIORITY. |
| .RE |
| .TP |
| .B \-K, \-\-kill |
| Attempts to forcibly close sockets. This option displays sockets that are |
| successfully closed and silently skips sockets that the kernel does not support |
| closing. It supports IPv4 and IPv6 sockets only. |
| .TP |
| .B \-s, \-\-summary |
| Print summary statistics. This option does not parse socket lists obtaining |
| summary from various sources. It is useful when amount of sockets is so huge |
| that parsing /proc/net/tcp is painful. |
| .TP |
| .B \-E, \-\-events |
| Continually display sockets as they are destroyed |
| .TP |
| .B \-Z, \-\-context |
| As the |
| .B \-p |
| option but also shows process security context. |
| .sp |
| For |
| .BR netlink (7) |
| sockets the initiating process context is displayed as follows: |
| .RS |
| .RS |
| .IP "1." 4 |
| If valid pid show the process context. |
| .IP "2." 4 |
| If destination is kernel (pid = 0) show kernel initial context. |
| .IP "3." 4 |
| If a unique identifier has been allocated by the kernel or netlink user, |
| show context as "unavailable". This will generally indicate that a |
| process has more than one netlink socket active. |
| .RE |
| .RE |
| .TP |
| .B \-z, \-\-contexts |
| As the |
| .B \-Z |
| option but also shows the socket context. The socket context is |
| taken from the associated inode and is not the actual socket |
| context held by the kernel. Sockets are typically labeled with the |
| context of the creating process, however the context shown will reflect |
| any policy role, type and/or range transition rules applied, |
| and is therefore a useful reference. |
| .TP |
| .B \-N NSNAME, \-\-net=NSNAME |
| Switch to the specified network namespace name. |
| .TP |
| .B \-b, \-\-bpf |
| Show socket BPF filters (only administrators are allowed to get these |
| information). |
| .TP |
| .B \-4, \-\-ipv4 |
| Display only IP version 4 sockets (alias for -f inet). |
| .TP |
| .B \-6, \-\-ipv6 |
| Display only IP version 6 sockets (alias for -f inet6). |
| .TP |
| .B \-0, \-\-packet |
| Display PACKET sockets (alias for -f link). |
| .TP |
| .B \-t, \-\-tcp |
| Display TCP sockets. |
| .TP |
| .B \-u, \-\-udp |
| Display UDP sockets. |
| .TP |
| .B \-d, \-\-dccp |
| Display DCCP sockets. |
| .TP |
| .B \-w, \-\-raw |
| Display RAW sockets. |
| .TP |
| .B \-x, \-\-unix |
| Display Unix domain sockets (alias for -f unix). |
| .TP |
| .B \-S, \-\-sctp |
| Display SCTP sockets. |
| .TP |
| .B \-\-vsock |
| Display vsock sockets (alias for -f vsock). |
| .TP |
| .B \-\-xdp |
| Display XDP sockets (alias for -f xdp). |
| .TP |
| .B \-f FAMILY, \-\-family=FAMILY |
| Display sockets of type FAMILY. Currently the following families are |
| supported: unix, inet, inet6, link, netlink, vsock, xdp. |
| .TP |
| .B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY |
| List of socket tables to dump, separated by commas. The following identifiers |
| are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, |
| unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, |
| vsock_stream, vsock_dgram, xdp Any item in the list may optionally be |
| prefixed by an exclamation mark |
| .RB ( ! ) |
| to exclude that socket table from being dumped. |
| .TP |
| .B \-D FILE, \-\-diag=FILE |
| Do not display anything, just dump raw information about TCP sockets |
| to FILE after applying filters. If FILE is - stdout is used. |
| .TP |
| .B \-F FILE, \-\-filter=FILE |
| Read filter information from FILE. Each line of FILE is interpreted |
| like single command line option. If FILE is - stdin is used. |
| .TP |
| .B FILTER := [ state STATE-FILTER ] [ EXPRESSION ] |
| Please take a look at the official documentation for details regarding filters. |
| |
| .SH STATE-FILTER |
| |
| .B STATE-FILTER |
| allows to construct arbitrary set of states to match. Its syntax is |
| sequence of keywords state and exclude followed by identifier of |
| state. |
| .TP |
| Available identifiers are: |
| |
| All standard TCP states: |
| .BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", " |
| .BR listening " and " closing. |
| |
| .B all |
| - for all the states |
| |
| .B connected |
| - all the states except for |
| .BR listening " and " closed |
| |
| .B synchronized |
| - all the |
| .B connected |
| states except for |
| .B syn-sent |
| |
| .B bucket |
| - states, which are maintained as minisockets, i.e. |
| .BR time-wait " and " syn-recv |
| |
| .B big |
| - opposite to |
| .B bucket |
| |
| .SH USAGE EXAMPLES |
| .TP |
| .B ss -t -a |
| Display all TCP sockets. |
| .TP |
| .B ss -t -a -Z |
| Display all TCP sockets with process SELinux security contexts. |
| .TP |
| .B ss -u -a |
| Display all UDP sockets. |
| .TP |
| .B ss -o state established '( dport = :ssh or sport = :ssh )' |
| Display all established ssh connections. |
| .TP |
| .B ss -x src /tmp/.X11-unix/* |
| Find all local processes connected to X server. |
| .TP |
| .B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24 |
| List all the tcp sockets in state FIN-WAIT-1 for our apache to network |
| 193.233.7/24 and look at their timers. |
| .TP |
| .B ss -a -A 'all,!tcp' |
| List sockets in all states from all socket tables but TCP. |
| .SH SEE ALSO |
| .BR ip (8), |
| .br |
| .BR RFC " 793 " |
| - https://tools.ietf.org/rfc/rfc793.txt (TCP states) |
| |
| .SH AUTHOR |
| .I ss |
| was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>. |
| .PP |
| This manual page was written by Michael Prokop <mika@grml.org> |
| for the Debian project (but may be used by others). |