Good promise | network detection artifact ss command, you may not use it at all!

Posted by timcapulet on Thu, 05 Sep 2019 04:38:30 +0200

Today, let's introduce the Linux ss command.

ss is the abbreviation of Socket Statistics, which is used to count the related information of socket connection. It is similar to netstat, but it has more powerful statistical function than netstat and can display more detailed connection information.

It may be difficult to get started with SS commands. We can learn the options of SS in detail through ss-h or ss-help. Of course, the best way is to try some common commands directly to learn ss.

Now let's look at some of the practical uses of ss.

S S-S is a very useful command. It can display general statistics according to the type of network transmission. We might as well test it.

$ ss -s
Total: 524
TCP:   8 (estab 1, closed 0, orphaned 0, timewait 0)

Transport Total     IP        IPv6
RAW       2         1         1
UDP       7         5         2
TCP       8         6         2
INET      17        12        5
FRAG      0         0         0
  • RAW Socket raw socket. It allows the direct sending and receiving of IP data packets without satisfying specific transport protocols for security applications such as namp.
  • TCP transmission control protocol. It is the main connection protocol in our network connection.
  • UDP User Datagram Protocol. Similar to TCP but without error checking.
  • INET contains the above items. (INET4 and INET6 can be viewed separately by some ss commands).
  • FRAG can be understood as fragmentation.

Obviously, the above output does not directly show the detailed socket connection. We can see that the total number of sockets shown in the top Total line is very large, but this sort of statistics is useful in some cases.

If you want to view specific socket activity information, we can use SS-A command, but we need to be prepared to view a lot of information, we can use wc-l to count the number of rows to test a wave:

$ ss -a | wc -l
555

Are there any trees scared? 555 rows of data!

But don't panic, we can look at the socket activity of the specified category.

  • Ss-ta dumps all TCP socket s
  • Ss-ua dumps all UDP socket s
  • Ss-wa dumps all RAW socket s
  • Ss-xa dumps all UNIX socket s
  • Ss-4a dumps all IPV4 socket s
  • Ss-6a dumps all IPV6 socket s

The ss command without parameters displays all established socket connections. To facilitate reading, only one page of information is displayed here, and most other information is omitted:

$ ss | more
Netid  State Recv-Q Send-Q           Local Address:Port    Peer Address:Port
u_str  ESTAB 0      0                            * 20863              * 20864
u_str  ESTAB 0      0                            * 32232              * 33018
u_str  ESTAB 0      0                            * 33147              * 3257544ddddy
u_str  ESTAB 0      0            /run/user/121/bus 32796              * 32795
u_str  ESTAB 0      0            /run/user/121/bus 32574              * 32573
u_str  ESTAB 0      0                            * 32782              * 32783
u_str  ESTAB 0      0  /run/systemd/journal/stdout 19091              * 18113
u_str  ESTAB 0      0                            * 769568             * 768429
u_str  ESTAB 0      0                            * 32560              * 32561
u_str  ESTAB 0      0          @/tmp/dbus-8xbBdjNe 33155              * 33154
u_str  ESTAB 0      0  /run/systemd/journal/stdout 32783              * 32782
...
tcp    ESTAB 0     64                 192.168.0.16:ssh      192.168.0.6:25944
tcp    ESTAB 0      0                 192.168.0.16:ssh      192.168.0.6:5385

To view the newly established TCP connection, use ss-t:

$ ss -t
State    Recv-Q   Send-Q      Local Address:Port            Peer Address:Port
ESTAB    0        64           192.168.0.16:ssh              192.168.0.6:25944
ESTAB    0        0            192.168.0.16:ssh              192.168.0.9:5385

To display only listener socket s, try ss-lt:

$ ss -lt
State   Recv-Q   Send-Q      Local Address:Port             Peer Address:Port
LISTEN  0        10              127.0.0.1:submission            0.0.0.0:*
LISTEN  0        128         127.0.0.53%lo:domain                0.0.0.0:*
LISTEN  0        128               0.0.0.0:ssh                   0.0.0.0:*
LISTEN  0        5               127.0.0.1:ipp                   0.0.0.0:*
LISTEN  0        10              127.0.0.1:smtp                  0.0.0.0:*
LISTEN  0        128                  [::]:ssh                      [::]:*
LISTEN  0        5                   [::1]:ipp                      [::]:*

If you want to display the port number instead of the service name, ss-ltn:

$ ss -ltn
State    Recv-Q    Send-Q        Local Address:Port        Peer Address:Port
LISTEN   0         10                127.0.0.1:587              0.0.0.0:*
LISTEN   0         128           127.0.0.53%lo:53               0.0.0.0:*
LISTEN   0         128                 0.0.0.0:22               0.0.0.0:*
LISTEN   0         5                 127.0.0.1:631              0.0.0.0:*
LISTEN   0         10                127.0.0.1:25               0.0.0.0:*
LISTEN   0         128                    [::]:22                  [::]:*
LISTEN   0         5                     [::1]:631                 [::]:*

So much is introduced here. For more details, please refer to the Help Manual (ss-h).

In addition, here are some tips that you can turn the most useful options into aliases to make it easier for you to use. For example:

$ alias listen="ss -lt"
$ alias socksum="ss -s"

-----------------

I am Liangxu, a Linux Development Engineer of the world's top 500 foreign enterprises, specializing in the production of Linux dry goods. Welcome to my public number "Liangxu Linux". Reply to "1024" for the latest and most complete technical information. Reply to "Enter the Group" and enter the group of experts such as cloud technology exchanges.

Topics: Linux socket ssh network

Hot Topics

©2024 Programmer Think