Tuesday, December 11, 2018

Using the Linux ss command to examine network and socket connections

The ss (socket statistics) command provides a lot of information by displaying details on socket activity. One way to get started, although this may be a bit overwhelming, is to use the ss -h (help) command to get a listing of the command's numerous options. Another is to try some of the more useful commands and get an idea what each of them can tell you.

One very useful command is the ss -s command. This command will show you some overall stats by transport type. In this output, we see stats for RAW, UDP, TCP, INET and FRAG sockets.

$ ss -s
Total: 524
TCP:   8 (estab 1, closed 0, orphaned 0, timewait 0)

Transport Total     IP        IPv6
RAW       2         1         1
UDP       7         5         2
TCP       8         6         2
INET      17        12        5
FRAG      0         0         0
  • Raw sockets allow direct sending and receiving of IP packets without protocol-specific transport layer formatting and are used for security appliications such as nmap.
  • TCP provides transmission control protocol and is the primary connection protocol.
  • UDP (user datagram protocol) is similar to TCP but without the error checking.
  • INET includes both of the above. (INET4 and INET6 can be viewed separately with some ss commands.)
  • FRAG — fragmented

Clearly the by-protocol lines above aren't displaying the totality of the socket activity. The figure in the Total line at the top of the output indicates that there is a lot more going on than the by-type lines suggest. Still, these breakdowns can be very useful.

If you want to see a list of all socket activity, you can use the ss -a command, but be prepared to see a lot of activity — as suggested by this output. Much of the socket activity on this system is local to the system being examined.

$ ss -a | wc -l

If you want to see a specific category of socket activity:

  • ss -ta dumps all TCP socket
  • ss -ua dumps all UDP sockets
  • ss -wa dumps all RAW sockets
  • ss -xa dumps all UNIX sockets
  • ss -4a dumps all IPV4 sockets
  • ss -6a dumps all IPV6 sockets

The a in each of the commands above means "all".

The ss command without arguments will display all established connections. Notice that only two of the connections shown below are for external connections — two other systems on the local network. A significant portion of the output below has been omitted for brevity.

$ ss | more
Netid  State Recv-Q Send-Q           Local Address:Port    Peer Address:Port
u_str  ESTAB 0      0                            * 20863              * 20864
u_str  ESTAB 0      0                            * 32232              * 33018
u_str  ESTAB 0      0                            * 33147              * 3257544ddddy
u_str  ESTAB 0      0            /run/user/121/bus 32796              * 32795
u_str  ESTAB 0      0            /run/user/121/bus 32574              * 32573
u_str  ESTAB 0      0                            * 32782              * 32783
u_str  ESTAB 0      0  /run/systemd/journal/stdout 19091              * 18113
u_str  ESTAB 0      0                            * 769568             * 768429
u_str  ESTAB 0      0                            * 32560              * 32561
u_str  ESTAB 0      0          @/tmp/dbus-8xbBdjNe 33155              * 33154
u_str  ESTAB 0      0  /run/systemd/journal/stdout 32783              * 32782
tcp    ESTAB 0     64       
tcp    ESTAB 0      0       

To see just established tcp connections, use the -t option.

$ ss -t
State    Recv-Q   Send-Q      Local Address:Port            Peer Address:Port
ESTAB    0        64     
ESTAB    0        0      

To display only listening sockets, try ss -lt.

$ ss -lt
State   Recv-Q   Send-Q      Local Address:Port             Peer Address:Port
LISTEN  0        10      *
LISTEN  0        128      *
LISTEN  0        128              *
LISTEN  0        5              *
LISTEN  0        10            *
LISTEN  0        128                  [::]:ssh                      [::]:*
LISTEN  0        5                   [::1]:ipp                      [::]:*

If you'd prefer to see port number than service names, try ss -ltn instead:

$ ss -ltn
State    Recv-Q    Send-Q        Local Address:Port        Peer Address:Port
LISTEN   0         10          *
LISTEN   0         128      *
LISTEN   0         128            *
LISTEN   0         5           *
LISTEN   0         10           *
LISTEN   0         128                    [::]:22                  [::]:*
LISTEN   0         5                     [::1]:631                 [::]:*

Plenty of help is available for the ss command either through the man page or by using the -h (help) option as shown below:

$ ss -h
Usage: ss [ OPTIONS ]
       ss [ OPTIONS ] [ FILTER ]
   -h, --help          this message
   -V, --version       output version information
   -n, --numeric       don't resolve service names
   -r, --resolve       resolve host names
   -a, --all           display all sockets
   -l, --listening     display listening sockets
   -o, --options       show timer information
   -e, --extended      show detailed socket information
   -m, --memory        show socket memory usage
   -p, --processes     show process using socket
   -i, --info          show internal TCP information
       --tipcinfo      show internal tipc socket information
   -s, --summary       show socket usage summary
   -b, --bpf           show bpf filter socket information
   -E, --events        continually display sockets as they are destroyed
   -Z, --context       display process SELinux security contexts
   -z, --contexts      display process and socket SELinux security contexts
   -N, --net           switch to the specified network namespace name

   -4, --ipv4          display only IP version 4 sockets
   -6, --ipv6          display only IP version 6 sockets
   -0, --packet        display PACKET sockets
   -t, --tcp           display only TCP sockets
   -S, --sctp          display only SCTP sockets
   -u, --udp           display only UDP sockets
   -d, --dccp          display only DCCP sockets
   -w, --raw           display only RAW sockets
   -x, --unix          display only Unix domain sockets
       --tipc          display only TIPC sockets
       --vsock         display only vsock sockets
   -f, --family=FAMILY display sockets of type FAMILY
       FAMILY := {inet|inet6|link|unix|netlink|vsock|tipc|help}

   -K, --kill          forcibly close sockets, display what was closed
   -H, --no-header     Suppress header line

   -A, --query=QUERY, --socket=QUERY
       QUERY := {all|inet|tcp|udp|raw|unix|unix_dgram|unix_stream|unix_seqpacket|packet|netlink|vsock_stream|vsock_dgram|tipc}[,QUERY]

   -D, --diag=FILE     Dump raw information about TCP sockets to FILE
   -F, --filter=FILE   read filter information from FILE
       FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
       STATE-FILTER := {all|connected|synchronized|bucket|big|TCP-STATES}
         TCP-STATES := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|closed|close-wait|last-ack|listening|closing}
          connected := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing}
       synchronized := {established|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing}
             bucket := {syn-recv|time-wait}
                big := {established|syn-sent|fin-wait-{1,2}|closed|close-wait|last-ack|listening|closing}

The ss command clearly offers a huge range of options for examining sockets, but you still might want to turn those that provide you with the most useful information into aliases to make them more memorable. For example:

$ alias listen="ss -lt"
$ alias socksum="ss -s"
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Let's block ads! (Why?)

Thanks to Sandra Henry-Stocker (see source)

No comments:

Post a Comment