Never Ending Security

It starts all here

SS – Socket Statistics Commands Cheatsheet

ss – Socket Statistics

The ss command shows much more information than the netstat command and it is also much efficient (read faster). The netstat command depends on various /proc files to gather information and this is its main weak point. In a system that has a lot of network connections this can take many precious seconds of your time. On the other hand, the ss command gets all of its information directly from the kernel. The options you can use with the ss command are also very similar to the nestat command and one can easily think of ss as a replacement command, but one would be very wrong…

List all connections

The simplest command is to list out all connections.

$ ss | less
Netid  State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port   
u_str  ESTAB      0      0                    * 15545                 * 15544  
u_str  ESTAB      0      0                    * 12240                 * 12241  
u_str  ESTAB      0      0      @/tmp/dbus-2hQdRvvg49 12726           * 12159  
u_str  ESTAB      0      0                    * 11808                 * 11256  
u_str  ESTAB      0      0                    * 15204                 * 15205  
.....

Filter out tcp,udp or unix connections

To view only tcp or udp or unix connections use the ‘-t’, ‘-u’ or ‘-x’ switch

$ ss -t
State      Recv-Q Send-Q    Local Address:Port        Peer Address:Port   
ESTAB      0      0           192.168.1.2:43839     192.168.1.2:http    
ESTAB      0      0           192.168.1.2:43622     192.168.1.3:https   
ESTAB      0      0           192.168.1.2:33141     192.168.1.4:ircd    
ESTAB      0      0           192.168.1.2:54028     192.168.1.5:xmpp-client
$ ss -t
OR
$ ss -A tcp

By default the “t” switch will report only connections that are “established”. It does not report the ‘listening’ tcp sockets. You can use ‘-a’ switch to get all listening ports

List all udp connections

$ ss -ua
State      Recv-Q Send-Q    Local Address:Port        Peer Address:Port   
UNCONN     0      0           192.168.1.2:48268                  *:*       
UNCONN     0      0           192.168.1.2:56575                  *:*       
UNCONN     0      0                     *:40309                  *:*       
UNCONN     0      0           192.168.1.2:56879                  *:*       
UNCONN     0      0                     *:49014                  *:*       
UNCONN     0      0           192.168.1.2:53124                  *:*       
UNCONN     0      0             127.0.1.1:domain                 *:*

Do not resolve

To get your output really fast, use the “-n” switch. This will prevent ss from resolving IP addresses to host-names. There’s a downside to this – you will lose port resolution too.

$ ss -nt
State      Recv-Q Send-Q      Local Address:Port        Peer Address:Port 
ESTAB      0      0             192.168.1.2:43839     192.168.1.2:80    
ESTAB      0      0             192.168.1.2:51350     192.168.1.3:443   
ESTAB      0      0             192.168.1.2:33141     192.168.1.4:6667  
ESTAB      0      0             192.168.1.2:54028     192.168.1.5:5222  
ESTAB      0      0             192.168.1.2:48156     192.168.1.2:5050

Show only listening sockets

Show only tcp sockets which are listening for incoming connections:

$ ss -ltn
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
LISTEN     0      5                 127.0.1.1:53                       *:*     
LISTEN     0      128               127.0.0.1:631                      *:*     
LISTEN     0      128                     ::1:631                     :::*

To list all listening udp connections replace ‘-t‘ with ‘-u

$ ss -lun
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
UNCONN     0      0                 127.0.1.1:53                       *:*     
UNCONN     0      0                         *:68                       *:*     
UNCONN     0      0               192.168.1.2:123                      *:*     
UNCONN     0      0                 127.0.0.1:123                      *:*     
UNCONN     0      0                         *:123                      *:*     
UNCONN     0      0                         *:5353                     *:*     
UNCONN     0      0                         *:47799                    *:*     
UNCONN     0      0                         *:25322                    *:*     
UNCONN     0      0                        :::54310                   :::*     
.....

Print process name and pid

You can also print PID that owns the connection with ‘-p‘ switch

$ ss -ltp
State      Recv-Q Send-Q    Local Address:Port        Peer Address:Port   
LISTEN     0      100           127.0.0.1:smtp                   *:*       
LISTEN     0      128           127.0.0.1:9050                   *:*       
LISTEN     0      128                   *:90                     *:*       
LISTEN     0      5             127.0.0.1:6600                   *:*       
LISTEN     0      128           127.0.0.1:9000                   *:*  users:(("php5-fpm",1620,0)
...

Print summary statistics

The ‘-s‘ switch prints out the statistics.

$ ss -s
Total: 526 (kernel 0)
TCP:   10 (estab 7, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0

Transport Total     IP        IPv6
*     0         -         -        
RAW   0         0         0        
UDP   15        9         6        
TCP   10        9         1        
INET      25        18        7        
FRAG      0         0         0

Display timer information

With the ‘-o‘ switch, the time information of each connection will be displayed

$ ss -tn -o
State      Recv-Q Send-Q      Local Address:Port        Peer Address:Port 
ESTAB      0      0             192.168.1.2:43839     192.168.1.2:80    
ESTAB      0      0             192.168.1.2:36335     192.168.1.2:80     timer:(keepalive,26sec,0)
...

Display only IPv4 / IPv6

To display only IPv4 socket connections use the ‘-f inet‘ or ‘-4‘ switch

$ ss -tl -f inet
State      Recv-Q Send-Q    Local Address:Port        Peer Address:Port   
LISTEN     0      100           127.0.0.1:smtp                   *:*       
LISTEN     0      128           127.0.0.1:9050                   *:*       
...

To display only IPv6 connections use the ‘-f inet6‘ or ‘-6‘ switch.

$ ss -tl6
State      Recv-Q Send-Q    Local Address:Port        Peer Address:Port   
LISTEN     0      100                 ::1:smtp                  :::*         
LISTEN     0      128                  :::http                  :::*       
...

Filtering connections by tcp state

The ss command also supports filtering:

$ ss [ OPTIONS ] [ STATE-FILTER ] [ ADDRESS-FILTER ]

To display all Ipv4 tcp sockets that are in “connected” state.

$ ss -t4 state established
Recv-Q Send-Q         Local Address:Port             Peer Address:Port   
0      0                192.168.1.2:54436          192.168.1.3:https   
0      0                192.168.1.2:43386          192.168.1.5:xmpp-client 
...

To display sockets with state ‘time-wait’

$ ss -t4 state time-wait
Recv-Q Send-Q         Local Address:Port             Peer Address:Port   
0      0                192.168.1.2:42261           192.168.1.3:https   
....

The state can be:

  • established
  • syn-sent
  • syn-recv
  • fin-wait-1
  • fin-wait-2
  • time-wait
  • closed
  • close-wait
  • last-ack
  • closing
  • all – All of the above states
  • connected – All the states except for listen and closed
  • synchronized – All the connected states except for syn-sent
  • bucket – Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
  • big – Opposite to bucket state.

Note – Many states like syn-sent, syn-recv would not show any sockets most of the time, since sockets remain in such states for a very short time. It would be better to use the watch command to detect such socket states in real time.

Filter connections by address and port number

Apart from tcp socket states, the ss command also supports filtering based on address and port number of the socket

Display all socket connections with source or destination ssh port

$ ss -at '( dport = :ssh or sport = :ssh )'
State      Recv-Q Send-Q    Local Address:Port        Peer Address:Port   
LISTEN     0      128                   *:ssh                    *:*       
LISTEN     0      128                  :::ssh                   :::*

Sockets with destination port 443 or 80

$ ss -nt '( dst :443 or dst :80 )'
State      Recv-Q Send-Q      Local Address:Port        Peer Address:Port 
ESTAB      0      0             192.168.1.2:58844      192.168.1.3:443   
...

Ports can also be filtered with dport/sport options. Port numbers must be prefixed with a “:”.

$ ss -nt dport = :80
State      Recv-Q Send-Q      Local Address:Port        Peer Address:Port 
ESTAB      0      0             192.168.1.2:56198     192.168.1.2:80    
...
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s