summaryrefslogtreecommitdiffstats
path: root/man/man8/ss.8
diff options
context:
space:
mode:
Diffstat (limited to 'man/man8/ss.8')
-rw-r--r--man/man8/ss.8607
1 files changed, 607 insertions, 0 deletions
diff --git a/man/man8/ss.8 b/man/man8/ss.8
new file mode 100644
index 0000000..4ece41f
--- /dev/null
+++ b/man/man8/ss.8
@@ -0,0 +1,607 @@
+.TH SS 8
+.SH NAME
+ss \- another utility to investigate sockets
+.SH SYNOPSIS
+.B ss
+.RI [ options ] " [ FILTER ]"
+.SH DESCRIPTION
+.B ss
+is used to dump socket statistics. It allows showing information similar
+to
+.IR netstat .
+It can display more TCP and state information than other tools.
+
+.SH OPTIONS
+When no option is used ss displays a list of open non-listening
+sockets (e.g. TCP/UNIX/UDP) that have established connection.
+.TP
+.B \-h, \-\-help
+Show summary of options.
+.TP
+.B \-V, \-\-version
+Output version information.
+.TP
+.B \-H, \-\-no-header
+Suppress header line.
+.TP
+.B \-O, \-\-oneline
+Print each socket's data on a single line.
+.TP
+.B \-n, \-\-numeric
+Do not try to resolve service names. Show exact bandwidth values, instead of human-readable.
+.TP
+.B \-r, \-\-resolve
+Try to resolve numeric address/ports.
+.TP
+.B \-a, \-\-all
+Display both listening and non-listening (for TCP this means
+established connections) sockets.
+.TP
+.B \-l, \-\-listening
+Display only listening sockets (these are omitted by default).
+.TP
+.B \-B, \-\-bound-inactive
+Display only TCP bound but inactive (not listening, connecting, etc.) sockets
+(these are omitted by default).
+.TP
+.B \-o, \-\-options
+Show timer information. For TCP protocol, the output format is:
+.RS
+.P
+timer:(<timer_name>,<expire_time>,<retrans>)
+.P
+.TP
+.B <timer_name>
+the name of the timer, there are five kind of timer names:
+.RS
+.P
+.B on
+: means one of these timers: TCP retrans timer, TCP early retrans
+timer and tail loss probe timer
+.P
+.BR keepalive ": tcp keep alive timer"
+.P
+.BR timewait ": timewait stage timer"
+.P
+.BR persist ": zero window probe timer"
+.P
+.BR unknown ": none of the above timers"
+.RE
+.TP
+.B <expire_time>
+how long time the timer will expire
+.P
+.TP
+.B <retrans>
+how many times the retransmission occurred
+.RE
+.TP
+.B \-e, \-\-extended
+Show detailed socket information. The output format is:
+.RS
+.P
+uid:<uid_number> ino:<inode_number> sk:<cookie>
+.P
+.TP
+.B <uid_number>
+the user id the socket belongs to
+.P
+.TP
+.B <inode_number>
+the socket's inode number in VFS
+.P
+.TP
+.B <cookie>
+an uuid of the socket
+.RE
+.TP
+.B \-m, \-\-memory
+Show socket memory usage. The output format is:
+.RS
+.P
+skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
+.br
+.RS
+.RS
+f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
+.RE
+.RE
+.br
+.RS
+.RS
+bl<back_log>,d<sock_drop>)
+.RE
+.RE
+.P
+.TP
+.B <rmem_alloc>
+the memory allocated for receiving packet
+.P
+.TP
+.B <rcv_buf>
+the total memory can be allocated for receiving packet
+.P
+.TP
+.B <wmem_alloc>
+the memory used for sending packet (which has been sent to layer 3)
+.P
+.TP
+.B <snd_buf>
+the total memory can be allocated for sending packet
+.P
+.TP
+.B <fwd_alloc>
+the memory allocated by the socket as cache, but not used for
+receiving/sending packet yet. If need memory to send/receive packet,
+the memory in this cache will be used before allocate additional
+memory.
+.P
+.TP
+.B <wmem_queued>
+The memory allocated for sending packet (which has not been sent to layer 3)
+.P
+.TP
+.B <opt_mem>
+The memory used for storing socket option, e.g., the key for TCP MD5 signature
+.P
+.TP
+.B <back_log>
+The memory used for the sk backlog queue. On a process context, if the
+process is receiving packet, and a new packet is received, it will be
+put into the sk backlog queue, so it can be received by the process
+immediately
+.P
+.TP
+.B <sock_drop>
+the number of packets dropped before they are de-multiplexed into the socket
+.RE
+.TP
+.B \-p, \-\-processes
+Show process using socket.
+.TP
+.B \-T, \-\-threads
+Show thread using socket. Implies
+.BR \-p .
+.TP
+.B \-i, \-\-info
+Show internal TCP information. Below fields may appear:
+.RS
+.P
+.TP
+.B ts
+show string "ts" if the timestamp option is set
+.P
+.TP
+.B sack
+show string "sack" if the sack option is set
+.P
+.TP
+.B ecn
+show string "ecn" if the explicit congestion notification option is set
+.P
+.TP
+.B ecnseen
+show string "ecnseen" if the saw ecn flag is found in received packets
+.P
+.TP
+.B fastopen
+show string "fastopen" if the fastopen option is set
+.P
+.TP
+.B cong_alg
+the congestion algorithm name, the default congestion algorithm is "cubic"
+.P
+.TP
+.B wscale:<snd_wscale>:<rcv_wscale>
+if window scale option is used, this field shows the send scale factor
+and receive scale factor
+.P
+.TP
+.B rto:<icsk_rto>
+tcp re-transmission timeout value, the unit is millisecond
+.P
+.TP
+.B backoff:<icsk_backoff>
+used for exponential backoff re-transmission, the actual
+re-transmission timeout value is icsk_rto << icsk_backoff
+.P
+.TP
+.B rtt:<rtt>/<rttvar>
+rtt is the average round trip time, rttvar is the mean deviation of
+rtt, their units are millisecond
+.P
+.TP
+.B ato:<ato>
+ack timeout, unit is millisecond, used for delay ack mode
+.P
+.TP
+.B mss:<mss>
+max segment size
+.P
+.TP
+.B cwnd:<cwnd>
+congestion window size
+.P
+.TP
+.B pmtu:<pmtu>
+path MTU value
+.P
+.TP
+.B ssthresh:<ssthresh>
+tcp congestion window slow start threshold
+.P
+.TP
+.B bytes_acked:<bytes_acked>
+bytes acked
+.P
+.TP
+.B bytes_received:<bytes_received>
+bytes received
+.P
+.TP
+.B segs_out:<segs_out>
+segments sent out
+.P
+.TP
+.B segs_in:<segs_in>
+segments received
+.P
+.TP
+.B send <send_bps>bps
+egress bps
+.P
+.TP
+.B lastsnd:<lastsnd>
+how long time since the last packet sent, the unit is millisecond
+.P
+.TP
+.B lastrcv:<lastrcv>
+how long time since the last packet received, the unit is millisecond
+.P
+.TP
+.B lastack:<lastack>
+how long time since the last ack received, the unit is millisecond
+.P
+.TP
+.B pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
+the pacing rate and max pacing rate
+.P
+.TP
+.B rcv_space:<rcv_space>
+a helper variable for TCP internal auto tuning socket receive buffer
+.P
+.TP
+.B tcp-ulp-mptcp flags:[MmBbJjecv] token:<rem_token(rem_id)/loc_token(loc_id)> seq:<sn> sfseq:<ssn> ssnoff:<off> maplen:<maplen>
+MPTCP subflow information
+.P
+.RE
+.TP
+.B \-\-tos
+Show ToS and priority information. Below fields may appear:
+.RS
+.P
+.TP
+.B tos
+IPv4 Type-of-Service byte
+.P
+.TP
+.B tclass
+IPv6 Traffic Class byte
+.P
+.TP
+.B class_id
+Class id set by net_cls cgroup. If class is zero this shows priority
+set by SO_PRIORITY.
+.RE
+.TP
+.B \-\-cgroup
+Show cgroup information. Below fields may appear:
+.RS
+.P
+.TP
+.B cgroup
+Cgroup v2 pathname. This pathname is relative to the mount point of the hierarchy.
+.RE
+.TP
+.B \-\-tipcinfo
+Show internal tipc socket information.
+.TP
+.B \-K, \-\-kill
+Attempts to forcibly close sockets. This option displays sockets that are
+successfully closed and silently skips sockets that the kernel does not support
+closing. It supports IPv4 and IPv6 sockets only.
+.TP
+.B \-s, \-\-summary
+Print summary statistics. This option does not parse socket lists obtaining
+summary from various sources. It is useful when amount of sockets is so huge
+that parsing /proc/net/tcp is painful.
+.TP
+.B \-E, \-\-events
+Continually display sockets as they are destroyed
+.TP
+.B \-Z, \-\-context
+As the
+.B \-p
+option but also shows process security context. If the
+.B \-T
+option is used, also shows thread security context.
+.sp
+For
+.BR netlink (7)
+sockets the initiating process context is displayed as follows:
+.RS
+.RS
+.IP "1." 4
+If valid pid show the process context.
+.IP "2." 4
+If destination is kernel (pid = 0) show kernel initial context.
+.IP "3." 4
+If a unique identifier has been allocated by the kernel or netlink user,
+show context as "unavailable". This will generally indicate that a
+process has more than one netlink socket active.
+.RE
+.RE
+.TP
+.B \-z, \-\-contexts
+As the
+.B \-Z
+option but also shows the socket context. The socket context is
+taken from the associated inode and is not the actual socket
+context held by the kernel. Sockets are typically labeled with the
+context of the creating process, however the context shown will reflect
+any policy role, type and/or range transition rules applied,
+and is therefore a useful reference.
+.TP
+.B \-N NSNAME, \-\-net=NSNAME
+Switch to the specified network namespace name.
+.TP
+.B \-b, \-\-bpf
+Show socket classic BPF filters (only administrators are allowed to get these
+information).
+.TP
+.B \-4, \-\-ipv4
+Display only IP version 4 sockets (alias for -f inet).
+.TP
+.B \-6, \-\-ipv6
+Display only IP version 6 sockets (alias for -f inet6).
+.TP
+.B \-0, \-\-packet
+Display PACKET sockets (alias for -f link).
+.TP
+.B \-t, \-\-tcp
+Display TCP sockets.
+.TP
+.B \-u, \-\-udp
+Display UDP sockets.
+.TP
+.B \-d, \-\-dccp
+Display DCCP sockets.
+.TP
+.B \-w, \-\-raw
+Display RAW sockets.
+.TP
+.B \-x, \-\-unix
+Display Unix domain sockets (alias for -f unix).
+.TP
+.B \-S, \-\-sctp
+Display SCTP sockets.
+.TP
+.B \-\-tipc
+Display tipc sockets (alias for -f tipc).
+.TP
+.TP
+.B \-\-vsock
+Display vsock sockets (alias for -f vsock).
+.TP
+.B \-\-xdp
+Display XDP sockets (alias for -f xdp).
+.TP
+.B \-M, \-\-mptcp
+Display MPTCP sockets.
+.TP
+.B \-\-inet-sockopt
+Display inet socket options.
+.TP
+.B \-f FAMILY, \-\-family=FAMILY
+Display sockets of type FAMILY. Currently the following families are
+supported: unix, inet, inet6, link, netlink, vsock, tipc, xdp.
+.TP
+.B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY
+List of socket tables to dump, separated by commas. The following identifiers
+are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram,
+unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, tipc,
+vsock_stream, vsock_dgram, xdp, mptcp. Any item in the list may optionally be
+prefixed by an exclamation mark
+.RB ( ! )
+to exclude that socket table from being dumped.
+.TP
+.B \-D FILE, \-\-diag=FILE
+Do not display anything, just dump raw information about TCP sockets
+to FILE after applying filters. If FILE is - stdout is used.
+.TP
+.B \-F FILE, \-\-filter=FILE
+Read filter information from FILE. Each line of FILE is interpreted
+like single command line option. If FILE is - stdin is used.
+.TP
+.B FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
+Please take a look at the official documentation for details regarding filters.
+
+.SH STATE-FILTER
+
+.B STATE-FILTER
+allows one to construct arbitrary set of states to match. Its syntax is
+sequence of keywords state and exclude followed by identifier of
+state.
+.TP
+Available identifiers are:
+
+All standard TCP states:
+.BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", "
+.BR listening " and " closing.
+
+.B all
+- for all the states
+
+.B connected
+- all the states except for
+.BR listening " and " closed
+
+.B synchronized
+- all the
+.B connected
+states except for
+.B syn-sent
+
+.B bucket
+- states, which are maintained as minisockets, i.e.
+.BR time-wait " and " syn-recv
+
+.B big
+- opposite to
+.B bucket
+
+.B bound-inactive
+- bound but otherwise inactive sockets (not listening, connecting, etc.)
+
+.SH EXPRESSION
+
+.B EXPRESSION
+allows filtering based on specific criteria.
+.B EXPRESSION
+consists of a series of predicates combined by boolean operators. The possible operators in increasing
+order of precedence are
+.B or
+(or | or ||),
+.B and
+(or & or &&), and
+.B not
+(or !). If no operator is between consecutive predicates, an implicit
+.B and
+operator is assumed. Subexpressions can be grouped with "(" and ")".
+.P
+The following predicates are supported:
+
+.TP
+.B {dst|src} [=] HOST
+Test if the destination or source matches HOST. See HOST SYNTAX for details.
+.TP
+.B {dport|sport} [OP] [FAMILY:]:PORT
+Compare the destination or source port to PORT. OP can be any of "<", "<=", "=", "!=",
+">=" and ">". Following normal arithmetic rules. FAMILY and PORT are as described in
+HOST SYNTAX below.
+.TP
+.B dev [=|!=] DEVICE
+Match based on the device the connection uses. DEVICE can either be a device name or the
+index of the interface.
+.TP
+.B fwmark [=|!=] MASK
+Matches based on the fwmark value for the connection. This can either be a specific mark value
+or a mark value followed by a "/" and a bitmask of which bits to use in the comparison. For example
+"fwmark = 0x01/0x03" would match if the two least significant bits of the fwmark were 0x01.
+.TP
+.B cgroup [=|!=] PATH
+Match if the connection is part of a cgroup at the given path.
+.TP
+.B autobound
+Match if the port or path of the source address was automatically allocated
+(rather than explicitly specified).
+.P
+Most operators have aliases. If no operator is supplied "=" is assumed.
+Each of the following groups of operators are all equivalent:
+.RS
+.IP \(bu 2
+= == eq
+.IP \(bu
+!= ne neq
+.IP \(bu
+> gt
+.IP \(bu
+< lt
+.IP \(bu
+>= ge geq
+.IP \(bu
+<= le leq
+.IP \(bu
+! not
+.IP \(bu
+| || or
+.IP \(bu
+& && and
+.RE
+.SH HOST SYNTAX
+.P
+The general host syntax is [FAMILY:]ADDRESS[:PORT].
+.P
+FAMILY must be one of the families supported by the -f option. If not given
+it defaults to the family given with the -f option, and if that is also
+missing, will assume either inet or inet6. Note that all host conditions in the
+expression should either all be the same family or be only inet and inet6. If there
+is some other mixture of families, the results will probably be unexpected.
+.P
+The form of ADDRESS and PORT depends on the family used. "*" can be used as
+a wildcard for either the address or port. The details for each family are as
+follows:
+.TP
+.B unix
+ADDRESS is a glob pattern (see
+.BR fnmatch (3))
+that will be matched case-insensitively against the unix socket's address. Both path and abstract
+names are supported. Unix addresses do not support a port, and "*" cannot be used as a wildcard.
+.TP
+.B link
+ADDRESS is the case-insensitive name of an Ethernet protocol to match. PORT
+is either a device name or a device index for the desired link device, as seen
+in the output of ip link.
+.TP
+.B netlink
+ADDRESS is a descriptor of the netlink family. Possible values come from
+/etc/iproute2/nl_protos. PORT is the port id of the socket, which is usually
+the same as the owning process id. The value "kernel" can be used to represent
+the kernel (port id of 0).
+.TP
+.B vsock
+ADDRESS is an integer representing the CID address, and PORT is the port.
+.TP
+.BR inet \ and\ inet6
+ADDRESS is an ip address (either v4 or v6 depending on the family) or a DNS
+hostname that resolves to an ip address of the required version. An ipv6
+address must be enclosed in "[" and "]" to disambiguate the port separator. The
+address may additionally have a prefix length given in CIDR notation (a slash
+followed by the prefix length in bits). PORT is either the numerical
+socket port, or the service name for the port to match.
+
+.SH USAGE EXAMPLES
+.TP
+.B ss -t -a
+Display all TCP sockets.
+.TP
+.B ss -t -a -Z
+Display all TCP sockets with process SELinux security contexts.
+.TP
+.B ss -u -a
+Display all UDP sockets.
+.TP
+.B ss -o state established '( dport = :ssh or sport = :ssh )'
+Display all established ssh connections.
+.TP
+.B ss -x src /tmp/.X11-unix/*
+Find all local processes connected to X server.
+.TP
+.B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24
+List all the tcp sockets in state FIN-WAIT-1 for our apache to network
+193.233.7/24 and look at their timers.
+.TP
+.B ss -a -A 'all,!tcp'
+List sockets in all states from all socket tables but TCP.
+.SH SEE ALSO
+.BR ip (8),
+.br
+.BR RFC " 793 "
+- https://tools.ietf.org/rfc/rfc793.txt (TCP states)
+
+.SH AUTHOR
+.I ss
+was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
+.PP
+This manual page was written by Michael Prokop <mika@grml.org>
+for the Debian project (but may be used by others).