ss即socket state,也就是说,是可以查看系统中socket的状态的。我们可以用netstat,但为什么还要用ss这个工具呢,当然ss也是有好处的。当我们打开的socket数量很多时,netstat就会变得慢了。
我们先来看看ss的使用格式:
1: [root@redhat ~]# ss ?
2: ss: bison bellows (while parsing filter): "syntax error!" Sorry.
3: Usage: ss [ OPTIONS ]
4: ss [ OPTIONS ] [ FILTER ]
5: -h, --help this message
6: -V, --version output version information
7: -n, --numeric don't resolve service names
8: -r, --resolve resolve host names
9: -a, --all display all sockets
10: -l, --listening display listening sockets
11: -o, --options show timer information
12: -e, --extended show detailed socket information
13: -m, --memory show socket memory usage
14: -p, --processes show process using socket
15: -i, --info show internal TCP information
16: -s, --summary show socket usage summary
17:
18: -4, --ipv4 display only IP version 4 sockets
19: -6, --ipv6 display only IP version 6 sockets
20: -0, --packet display PACKET sockets
21: -t, --tcp display only TCP sockets
22: -u, --udp display only UDP sockets
23: -d, --dccp display only DCCP sockets
24: -w, --raw display only RAW sockets
25: -x, --unix display only Unix domain sockets
26: -f, --family=FAMILY display sockets of type FAMILY
27:
28: -A, --query=QUERY
29: QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]
30:
31: -F, --filter=FILE read filter information from FILE
32: FILTER := [ state TCP-STATE ] [ EXPRESSION ]
33: [root@redhat ~]#
ss的强大之处,大于可以设定过滤条件,我们可以根据socket的状态来进行过滤,也可通过端口与ip地址进行过滤。也就是我们在命令格式里面看到的STATE-FILTER与ADDRESS-FILTER。
首先看看STATE-FILTER,STATE-FILTER可用的过滤条件有:
1. 所有的TCP状态,包含:established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen and closing.
2. all,包含所有的状态。
3. connected,除了listen与closed的所有其它状态。
4. synchronized,除了syn-sent的所有connected的状态。
5. bucket
6. big
使用时,如:
$ ss state connected再看看ADDRESS-FILTER,ADDRESS-FILTER用于过滤端口与地址。而且可以进行表达式组合。可用的子表达式有:
1. dst ADDRESS_PATTERN
2. src ADDRESS_PATTERN
3. dport RELOP PORT
4. sport RELOP PORT
5. autobound
其中ADDRESS_PATTERN为ip地址与端口匹配,ip:port,可以用*代替。RELOP为<= >=或==。
如:
1: [root@redhat ~]# ss dst 169.254.7.1
2: State Recv-Q Send-Q Local Address:Port Peer Address:Port
3: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45831
4: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45827
5: ESTAB 0 0 169.254.6.1:36202 169.254.7.1:37520
6: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45832
7: ESTAB 0 0 169.254.0.1:11001 169.254.7.1:39425
8: ESTAB 0 0 169.254.0.1:11003 169.254.7.1:57108
9: ESTAB 0 0 169.254.0.1:7331 169.254.7.1:55076
10: ESTAB 0 0 169.254.0.1:11002 169.254.7.1:60527
11: ESTAB 0 0 169.254.6.1:57477 169.254.7.1:7331
12: ESTAB 0 0 169.254.0.1:shell 169.254.7.1:54370
13: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45812
14: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45813
15: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45810
16: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45811
17: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45808
18: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45816
19: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45806
20: [root@redhat ~]#
多个子表达式之间可以组合,当然跟tcpdump一样,可以用or and not来组合。但括号要用转义符号表示。
如:
[root@redhat ~]# ss -o state fin-wait-1 \( sport = :http or sport = :https \) dst 193.233.7/24
看看几个例子:
查看系统总体信息:
1: [root@redhat ~]# ss -s
2: Total: 160 (kernel 194)
3: TCP: 48 (estab 31, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 49
4: Transport Total IP IPv6
5: * 194 - -
6: RAW 0 0 0
7: UDP 5 5 0
8: TCP 48 48 0
9: INET 53 53 0
10: FRAG 0 0 0
11:
12: [root@redhat ~]#
想看当前机器的11001端口被谁占用了:
1: [root@redhat ~]#ss -lp src :11001
2: Recv-Q Send-Q Local Address:Port Peer Address:Port
3: 0 0 169.254.0.1:11001 *:* users:(("syslog-ng",21761,12))
4: [root@redhat ~]#
我们可以看到,是一个叫syslog-ng的进程,进程id是21761
原文:http://www.cnblogs.com/txw1958/archive/2012/07/26/linux-ss.html