onlylove@ubuntu:~$ ss -help
Usage: ss [ OPTIONS ]
ss [ OPTIONS ][ FILTER ]
-h, --help this message
-V, --version output version information
-n, --numeric don't resolve service names
-r, --resolve resolve host names
-a, --all display all sockets
-l, --listening display listening sockets
-o, --options show timer information
-e, --extended show detailed socket information
-m, --memory show socket memory usage
-p, --processes show process using socket
-i, --info show internal TCP information
--tipcinfo show internal tipc socket information
-s, --summary show socket usage summary
--tos show tos and priority information
-b, --bpf show bpf filter socket information
-E, --events continually display sockets as they are destroyed
-Z, --context display process SELinux security contexts
-z, --contexts display process and socket SELinux security contexts
-N, --net switch to the specified network namespace name
-4, --ipv4 display only IP version 4 sockets
-6, --ipv6 display only IP version 6 sockets
-0, --packet display PACKET sockets
-t, --tcp display only TCP sockets
-S, --sctp display only SCTP sockets
-u, --udp display only UDP sockets
-d, --dccp display only DCCP sockets
-w, --raw display only RAW sockets
-x, --unix display only Unix domain sockets
--tipc display only TIPC sockets
--vsock display only vsock sockets
-f, --family=FAMILY display sockets of type FAMILY
FAMILY := {inet|inet6|link|unix|netlink|vsock|tipc|xdp|help}
-K, --kill forcibly close sockets, display what was closed
-H, --no-header Suppress header line
-O, --oneline socket's data printed on a single line
-A, --query=QUERY, --socket=QUERY
QUERY :={all|inet|tcp|udp|raw|unix|unix_dgram|unix_stream|unix_seqpacket|packet|netlink|vsock_stream|vsock_dgram|tipc}[,QUERY]
-D, --diag=FILE Dump raw information about TCP sockets to FILE
-F, --filter=FILE read filter information from FILE
FILTER :=[ state STATE-FILTER ][ EXPRESSION ]
STATE-FILTER :={all|connected|synchronized|bucket|big|TCP-STATES}
TCP-STATES :={established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|closed|close-wait|last-ack|listening|closing}
connected :={established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing}
synchronized :={established|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing}
bucket :={syn-recv|time-wait}
big :={established|syn-sent|fin-wait-{1,2}|closed|close-wait|last-ack|listening|closing}
onlylove@ubuntu:~$
二、参数说明
参数
说明
-h, --help
帮助信息
-V, --version
版本信息
-n, --numeric
不要解析服务名称
-r, --resolve
解析主机名
-a, --all
显示所有套接字
-l, --listening
显示监听套接字
-o, --options
显示定时器信息
-e, --extended
显示详细的套接字信息
-m, --memory
显示套接字内存使用情况
-p, --processes
使用套接字显示进程
-i, --info
显示内部 TCP 信息
–tipcinfo
显示内部 tipc 套接字信息
-s, --summary
显示套接字使用摘要
–tos
显示 tos 和优先级信息
-b, --bpf
显示 bpf 筛选器套接字信息
-E, --events
持续显示被破坏的套接字
-Z, --context
显示进程 SELinux 安全上下文
-z, --contexts
显示进程和套接字 SELinux 安全上下文
-N, --net
切换到指定的网络命名空间名称
-4, --ipv4
仅显示IPv4套接字
-6, --ipv6
仅显示IPv6套接字
-0, --packet
显示数据包套接字
-t, --tcp
仅显示 TCP 套接字
-S, --sctp
仅显示 SCTP 套接字
-u, --udp
仅显示 UDP 套接字
-d, --dccp
仅显示 DCCP 套接字
-w, --raw
仅显示 RAW 套接字
-x, --unix
仅显示 Unix 域套接字
–tipc
仅显示 TIPC 套接字
–vsock
仅显示 vsock 套接字
-f, --family=FAMILY
显示 FAMILY 类型套接字
-K, --kill
强制关闭套接字,显示关闭的内容
-H, --no-header
抑制标题行
-O, --oneline
套接字的数据打印在一行上
-A, --query=QUERY, --socket=QUERY
-D, --diag=FILE
将TCP套接字的原始信息转储到FILE
-F, --filter=FILE
从FILE中读取过滤信息
三、man ss
SS(8) System Manager's Manual SS(8)
NAME
ss - another utility to investigate sockets 另一个研究套接字的实用程序
SYNOPSIS
ss [options] [ FILTER ]
DESCRIPTION
ss is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state information than other tools.
ss 用于转储套接字统计信息。它允许显示类似于 netstat 的信息。它可以显示比其他工具更多的 TCP 和状态信息。
OPTIONS
When no option is used ss displays a list of open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection.
如果未使用任何选项,ss 将显示已建立连接的已打开的非侦听套接字(例如 TCP/UNIX/UDP)的列表。
-h, --help
Show summary of options. 显示选项摘要。
-V, --version
Output version information. 输出版本信息。
-H, --no-header
Suppress header line. 禁止显示标题行。
-O, --oneline
Print each socket's data on a single line. 在一行中打印每个套接字的数据。
-n, --numeric
Do not try to resolve service names. Show exact bandwidth values, instead of human-readable.
不要尝试解析服务名称。显示精确的带宽值,而不是人类可读的。
-r, --resolve
Try to resolve numeric address/ports.
尝试解析数字地址/端口。
-a, --all
Display both listening and non-listening (for TCP this means established connections) sockets.
显示侦听和非侦听(对于 TCP,这意味着已建立的连接)套接字。
-l, --listening
Display only listening sockets (these are omitted by default).
只显示监听套接字(默认情况下省略)。
-o, --options
Show timer information. For TCP protocol, the output format is:
显示计时器的信息。对于TCP协议,输出格式为:
timer:(<timer_name>,<expire_time>,<retrans>)
<timer_name>
the name of the timer, there are five kind of timer names:
计时器的名称,有五种计时器名称:
on : means one of these timers: TCP retrans timer, TCP early retrans timer and tail loss probe timer
表示其中一个定时器:TCP重传定时器、TCP早期重传定时器和尾部丢失探测定时器
keepalive: tcp keep alive timer TCP保持活动定时器
timewait: timewait stage timer timewait阶段计时器
persist: zero window probe timer 零窗口探测定时器
unknown: none of the above timers 以上都不是
<expire_time>
how long time the timer will expire
这个计时器多长时间会过期
<retrans>
how many times the retransmission occured
发生了多少次重传
-e, --extended
Show detailed socket information. The output format is:
显示详细的套接字信息。输出格式为:
uid:<uid_number> ino:<inode_number> sk:<cookie>
<uid_number>
the user id the socket belongs to 套接字所属的用户 ID
<inode_number>
the socket's inode number in VFS VFS 中套接字的 inode 编号
<cookie>
an uuid of the socket 套接字的uuid
-m, --memory
Show socket memory usage. The output format is:
显示套接字内存使用情况。输出格式为:
skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
bl<back_log>,d<sock_drop>)
<rmem_alloc>
the memory allocated for receiving packet
为接收数据包分配的内存
<rcv_buf>
the total memory can be allocated for receiving packet
可以为接收数据包分配总内存
<wmem_alloc>
the memory used for sending packet (which has been sent to layer 3)
用于发送数据包的内存(已发送到第 3 层)
<snd_buf>
the total memory can be allocated for sending packet
可以分配用于发送数据包的总内存
<fwd_alloc>
the memory allocated by the socket as cache, but not used for receiving/sending packet yet. If need memory to send/receive packet, the memory in this cache will be used before allocate additional memory.
套接字分配的内存作为缓存,但尚未用于接收/发送数据包。如果需要内存来发送/接收数据包,则在分配额外内存之前,将使用此缓存中的内存。
<wmem_queued>
The memory allocated for sending packet (which has not been sent to layer 3)
分配给发送数据包的内存(尚未发送到第 3 层)
<ropt_mem>
The memory used for storing socket option, e.g., the key for TCP MD5 signature
用于存储套接字选项的内存,例如TCP MD5签名的密钥
<back_log>
The memory used for the sk backlog queue. On a process context, if the process is receiving packet, and a new packet is received, it will be put into the sk backlog queue, so it can be received by the process immediately
用于sk待办队列的内存。在进程上下文中,如果进程正在接收数据包,并且收到了一个新的数据包,它将被放入sk待办队列中,因此进程可以立即接收到它。
<sock_drop>
the number of packets dropped before they are de-multiplexed into the socket
在多路复用到套接字之前丢弃的包数
-p, --processes
Show process using socket.
使用套接字显示进程。
-i, --info
Show internal TCP information. Below fields may appear:
显示内部 TCP 信息。可能会出现以下字段:
ts show string "ts" if the timestamp option is set
如果设置了时间戳选项,则显示字符串ts
sack show string "sack" if the sack option is set
如果sack选项被设置,则显示string sack
ecn show string "ecn" if the explicit congestion notification option is set
如果设置了显式拥塞通知选项,则显示字符串ecn
ecnseen
show string "ecnseen" if the saw ecn flag is found in received packets
如果在收到的报文中发现saw ecn标志,则显示字符串ecnseen
fastopen
show string "fastopen" if the fastopen option is set
如果fastopen选项被设置,则显示字符串fastopen
cong_alg
the congestion algorithm name, the default congestion algorithm is "cubic"
拥塞算法名称,默认拥塞算法为"立方体"
wscale:<snd_wscale>:<rcv_wscale>
if window scale option is used, this field shows the send scale factor and receive scale factor
如果使用窗口比例选项,则此字段显示发送比例因子和接收比例因子
rto:<icsk_rto>
tcp re-transmission timeout value, the unit is millisecond
tcp 重新传输超时值,单位为毫秒
backoff:<icsk_backoff>
used for exponential backoff re-transmission, the actual re-transmission timeout value is icsk_rto << icsk_backoff
用于指数退避再传输,实际重新传输超时值为icsk_rto << icsk_backoff
rtt:<rtt>/<rttvar>
rtt is the average round trip time, rttvar is the mean deviation of rtt, their units are millisecond
RTT为平均往返时间,rttvar为RTT的平均偏差,以毫秒为单位
ato:<ato>
ack timeout, unit is millisecond, used for delay ack mode
Ack超时时间,单位为毫秒,用于延迟Ack模式
mss:<mss>
max segment size
最大段大小
cwnd:<cwnd>
congestion window size
拥塞窗口大小
pmtu:<pmtu>
path MTU value
路径 MTU 值
ssthresh:<ssthresh>
tcp congestion window slow start threshold
TCP拥塞窗口慢启动阈值
bytes_acked:<bytes_acked>
bytes acked
字节已确认
bytes_received:<bytes_received>
bytes received
收到的字节数
segs_out:<segs_out>
segments sent out
发送的片段
segs_in:<segs_in>
segments received
接收的片段
send <send_bps>bps
egress bps
出口 bps
lastsnd:<lastsnd>
how long time since the last packet sent, the unit is millisecond
自上次发送数据包以来多长时间,单位为毫秒
lastrcv:<lastrcv>
how long time since the last packet received, the unit is millisecond
自上次收到数据包以来多长时间,单位为毫秒
lastack:<lastack>
how long time since the last ack received, the unit is millisecond
自上次收到确认以来多长时间,单位为毫秒
pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
the pacing rate and max pacing rate
心跳速率和最大心跳速率
rcv_space:<rcv_space>
a helper variable for TCP internal auto tuning socket receive buffer
TCP 内部自动调整套接字接收缓冲区的帮助器变量
--tos Show ToS and priority information. Below fields may appear:
显示 ToS 和优先级信息。可能会出现以下字段:
tos IPv4 Type-of-Service byte IPv4 服务类型字节
tclass IPv6 Traffic Class byte IPv6 流量类字节
class_id
Class id set by net_cls cgroup. If class is zero this shows priority set by SO_PRIORITY.
net_cls cgroup 设置的类 ID。如果类为零,则显示SO_PRIORITY设置的优先级。
-K, --kill
Attempts to forcibly close sockets. This option displays sockets that are successfully closed and silently skips sockets that the kernel does not support closing. It supports IPv4 and IPv6 sockets only.
试图强制关闭套接字。此选项显示已成功关闭的套接字,并以静默方式跳过内核不支持关闭的套接字。它仅支持 IPv4 和 IPv6 套接字。
-s, --summary
Print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful.
打印汇总统计。此选项不解析从各种来源获取摘要的套接字列表。当套接字的数量如此之大以至于解析/proc/net/tcp很痛苦时,它很有用。
-E, --events
Continually display sockets as they are destroyed
持续显示被破坏的套接字
-Z, --context
As the -p option but also shows process security context.
作为 -p 选项,但也显示进程安全上下文。
For netlink(7) sockets the initiating process context is displayed as follows:
对于 netlink(7) 套接字, 启动进程上下文显示如下:
1. If valid pid show the process context.
如果有效 pid 显示进程上下文。
2. If destination is kernel (pid = 0) show kernel initial context.
如果目标是内核 (pid = 0),则显示内核初始上下文。
3. If a unique identifier has been allocated by the kernel or netlink user, show context as "unavailable". This will generally indicate that a process has more than one netlink socket active.
如果内核或 netlink 用户已分配唯一标识符,请将上下文显示为"不可用"。这通常表示一个进程有多个活动的netlink套接字。
-z, --contexts
As the -Z option but also shows the socket context. The socket context is taken from the associated inode and is not the actual socket context held by the kernel. Sockets are typically labeled with the context of the creating process, however the context shown will reflect any policy role, type and/or range transition rules applied, and is therefore a useful reference.
作为 -Z 选项,但也显示套接字上下文。套接字上下文取自关联的 inode,而不是内核持有的实际套接字上下文。套接字通常使用创建过程的上下文进行标记,但显示的上下文将反映应用的任何策略角色、类型和/或范围转换规则,因此是有用的参考。
-N NSNAME, --net=NSNAME
Switch to the specified network namespace name.
切换到指定的网络命名空间名称。
-b, --bpf
Show socket BPF filters (only administrators are allowed to get these information).
显示套接字 BPF 筛选器(仅允许管理员获取这些信息)。
-4, --ipv4
Display only IP version 4 sockets (alias for -f inet).
只显示IPv4套接字(-f inet的别名)。
-6, --ipv6
Display only IP version 6 sockets (alias for -f inet6).
只显示IPv6的socket (-f inet6的别名)。
-0, --packet
Display PACKET sockets (alias for -f link).
显示 PACKET 套接字 (-f link的别名)。
-t, --tcp
Display TCP sockets.
显示 TCP 套接字。
-u, --udp
Display UDP sockets.
显示UDP套接字。
-d, --dccp
Display DCCP sockets.
显示 DCCP 套接字。
-w, --raw
Display RAW sockets.
显示 RAW 套接字。
-x, --unix
Display Unix domain sockets (alias for -f unix).
显示 Unix 域套接字(-f unix 的别名)。
-S, --sctp
Display SCTP sockets.
显示 SCTP 套接字。
--vsock
Display vsock sockets (alias for -f vsock).
显示 vsock 插槽(-f vsock 的别名)。
--xdp Display XDP sockets (alias for -f xdp).
显示 XDP 插槽(-f xdp 的别名)。
-f FAMILY, --family=FAMILY
Display sockets of type FAMILY. Currently the following families are supported: unix, inet, inet6, link, netlink, vsock, xdp.
显示FAMILY类型的套接字。目前支持以下系列:unix,inet,inet6,link,netlink,vsock,xdp。
-A QUERY, --query=QUERY, --socket=QUERY
List of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram, xdp Any item in the list may optionally be prefixed by an exclamation mark (!) to exclude that socket table from being dumped.
要转储的套接字表列表,用逗号分隔。可以理解以下标识符:all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram, xdp 列表中的任何项目都可以选择以感叹号 (!) 为前缀 以从转储中排除该套接字表。
-D FILE, --diag=FILE
Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used.
不要显示任何东西,只是在应用过滤器后将TCP套接字的原始信息转储到FILE。如果FILE为- stdout。
-F FILE, --filter=FILE
Read filter information from FILE. Each line of FILE is interpreted like single command line option. If FILE is - stdin is used.
从FILE中读取过滤信息。FILE的每一行都像单个命令行选项一样被解释。如果FILE为- stdin。
FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
Please take a look at the official documentation for details regarding filters.
关于过滤器的详细信息,请参阅官方文档。
STATE-FILTER
STATE-FILTER allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and exclude followed by identifier of state.
状态过滤器允许构造任意状态集以进行匹配。它的语法是状态和排除的关键字序列,然后是状态标识符。
Available identifiers are:
可使用的标识符包括:
All standard TCP states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listening and closing.
所有标准TCP状态:established、syn-sent、syn-recv、fin-wait-1、fin-wait-2、time-wait、closed、close-wait、last-ack、listening、closing。
all - for all the states 所有状态
connected - all the states except for listening and closed
所有的状态,除了倾听和关闭
synchronized - all the connected states except for syn-sent
所有连接的状态,除了syn-sent
bucket - states, which are maintained as minisockets, i.e. time-wait and syn-recv
状态,这些状态被维护为微型套接字,即time-wait和sync -recv
big - opposite to bucket
USAGE EXAMPLES
ss -t -a
Display all TCP sockets.
显示所有 TCP 套接字。
ss -t -a -Z
Display all TCP sockets with process SELinux security contexts.
显示所有带有进程SELinux安全上下文的TCP套接字。
ss -u -a
Display all UDP sockets.
显示所有UDP套接字。
ss -o state established '( dport = :ssh or sport = :ssh )'
Display all established ssh connections.
显示所有已建立的ssh连接。
ss -x src /tmp/.X11-unix/*
Find all local processes connected to X server.
查找连接到 X 服务器的所有本地进程。
ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24
List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.
列出状态FIN-WAIT-1中的所有tcp套接字,以便我们的apache将193.233.7 / 24联网并查看它们的计时器。
ss -a -A 'all,!tcp'
List sockets in all states from all socket tables but TCP.
列出除TCP之外的所有套接字表中所有状态的套接字。
SEE ALSO
ip(8),
RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
AUTHOR
ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
This manual page was written by Michael Prokop <mika@grml.org> for the Debian project (but may be used by oth‐
ers).
SS(8)
一、语法onlylove@ubuntu:~$ ss -helpUsage: ss [ OPTIONS ] ss [ OPTIONS ] [ FILTER ] -h, --help this message -V, --version output version information -n, --numeric don't resolve service names -r, --resolve resolve