| .TH SS 8 |
| .SH NAME |
| ss \- another utility to investigate sockets |
| .SH SYNOPSIS |
| .B ss |
| .RI [ options ] " [ FILTER ]" |
| .SH DESCRIPTION |
| .B ss |
| is used to dump socket statistics. It allows showing information similar |
| to |
| .IR netstat . |
| It can display more TCP and state informations than other tools. |
| |
| .SH OPTIONS |
| When no option is used ss displays a list of |
| open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection. |
| .TP |
| .B \-h, \-\-help |
| Show summary of options. |
| .TP |
| .B \-V, \-\-version |
| Output version information. |
| .TP |
| .B \-H, \-\-no-header |
| Suppress header line. |
| .TP |
| .B \-n, \-\-numeric |
| Do not try to resolve service names. |
| .TP |
| .B \-r, \-\-resolve |
| Try to resolve numeric address/ports. |
| .TP |
| .B \-a, \-\-all |
| Display both listening and non-listening (for TCP this means established connections) sockets. |
| .TP |
| .B \-l, \-\-listening |
| Display only listening sockets (these are omitted by default). |
| .TP |
| .B \-o, \-\-options |
| Show timer information. |
| .TP |
| .B \-e, \-\-extended |
| Show detailed socket information |
| .TP |
| .B \-m, \-\-memory |
| Show socket memory usage. |
| .TP |
| .B \-p, \-\-processes |
| Show process using socket. |
| .TP |
| .B \-i, \-\-info |
| Show internal TCP information. |
| .TP |
| .B \-K, \-\-kill |
| Attempts to forcibly close sockets. This option displays sockets that are |
| successfully closed and silently skips sockets that the kernel does not support |
| closing. It supports IPv4 and IPv6 sockets only. |
| .TP |
| .B \-s, \-\-summary |
| Print summary statistics. This option does not parse socket lists obtaining |
| summary from various sources. It is useful when amount of sockets is so huge |
| that parsing /proc/net/tcp is painful. |
| .TP |
| .B \-Z, \-\-context |
| As the |
| .B \-p |
| option but also shows process security context. |
| .sp |
| For |
| .BR netlink (7) |
| sockets the initiating process context is displayed as follows: |
| .RS |
| .RS |
| .IP "1." 4 |
| If valid pid show the process context. |
| .IP "2." 4 |
| If destination is kernel (pid = 0) show kernel initial context. |
| .IP "3." 4 |
| If a unique identifier has been allocated by the kernel or netlink user, |
| show context as "unavailable". This will generally indicate that a |
| process has more than one netlink socket active. |
| .RE |
| .RE |
| .TP |
| .B \-z, \-\-contexts |
| As the |
| .B \-Z |
| option but also shows the socket context. The socket context is |
| taken from the associated inode and is not the actual socket |
| context held by the kernel. Sockets are typically labeled with the |
| context of the creating process, however the context shown will reflect |
| any policy role, type and/or range transition rules applied, |
| and is therefore a useful reference. |
| .TP |
| .B \-N NSNAME, \-\-net=NSNAME |
| Switch to the specified network namespace name. |
| .TP |
| .B \-b, \-\-bpf |
| Show socket BPF filters (only administrators are allowed to get these information). |
| .TP |
| .B \-4, \-\-ipv4 |
| Display only IP version 4 sockets (alias for -f inet). |
| .TP |
| .B \-6, \-\-ipv6 |
| Display only IP version 6 sockets (alias for -f inet6). |
| .TP |
| .B \-0, \-\-packet |
| Display PACKET sockets (alias for -f link). |
| .TP |
| .B \-t, \-\-tcp |
| Display TCP sockets. |
| .TP |
| .B \-u, \-\-udp |
| Display UDP sockets. |
| .TP |
| .B \-d, \-\-dccp |
| Display DCCP sockets. |
| .TP |
| .B \-w, \-\-raw |
| Display RAW sockets. |
| .TP |
| .B \-x, \-\-unix |
| Display Unix domain sockets (alias for -f unix). |
| .TP |
| .B \-S, \-\-sctp |
| Display SCTP sockets. |
| .TP |
| .B \-f FAMILY, \-\-family=FAMILY |
| Display sockets of type FAMILY. |
| Currently the following families are supported: unix, inet, inet6, link, netlink. |
| .TP |
| .B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY |
| List of socket tables to dump, separated by commas. The following identifiers |
| are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, |
| unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp. |
| .TP |
| .B \-D FILE, \-\-diag=FILE |
| Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used. |
| .TP |
| .B \-F FILE, \-\-filter=FILE |
| Read filter information from FILE. |
| Each line of FILE is interpreted like single command line option. If FILE is - stdin is used. |
| .TP |
| .B FILTER := [ state STATE-FILTER ] [ EXPRESSION ] |
| Please take a look at the official documentation (Debian package iproute-doc) for details regarding filters. |
| |
| .SH STATE-FILTER |
| |
| .B STATE-FILTER |
| allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and exclude followed by identifier of state. |
| .TP |
| Available identifiers are: |
| |
| All standard TCP states: |
| .BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", " |
| .BR listen " and " closing. |
| |
| .B all |
| - for all the states |
| |
| .B connected |
| - all the states except for |
| .BR listen " and " closed |
| |
| .B synchronized |
| - all the |
| .B connected |
| states except for |
| .B syn-sent |
| |
| .B bucket |
| - states, which are maintained as minisockets, i.e. |
| .BR time-wait " and " syn-recv |
| |
| .B big |
| - opposite to |
| .B bucket |
| |
| .SH USAGE EXAMPLES |
| .TP |
| .B ss -t -a |
| Display all TCP sockets. |
| .TP |
| .B ss -t -a -Z |
| Display all TCP sockets with process SELinux security contexts. |
| .TP |
| .B ss -u -a |
| Display all UDP sockets. |
| .TP |
| .B ss -o state established '( dport = :ssh or sport = :ssh )' |
| Display all established ssh connections. |
| .TP |
| .B ss -x src /tmp/.X11-unix/* |
| Find all local processes connected to X server. |
| .TP |
| .B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24 |
| List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers. |
| .SH SEE ALSO |
| .BR ip (8), |
| .BR /usr/share/doc/iproute-doc/ss.html " (package iprouteĀdoc)", |
| .br |
| .BR RFC " 793 " |
| - https://tools.ietf.org/rfc/rfc793.txt (TCP states) |
| |
| .SH AUTHOR |
| .I ss |
| was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>. |
| .PP |
| This manual page was written by Michael Prokop <mika@grml.org> |
| for the Debian project (but may be used by others). |