1. Overview

In this tutorial, we’ll look at how to examine the connections on a host, how to view the connection information, and commands to examine the connections’ state. We’ll also show ways to filter the command output to view connection statistics readily. We’ll look at how to get a summary of the hosts’ connections and the current connection count.

The commands in this article have been tested on SUSE 15 and Debian 11.6, using GNU Bash version 4.4.23. All code snippets should work in most Linux environments.

2. The ss Command

A socket is a mechanism to enable communication to and from a host. Linux provides the ss command, short for “socket statistics”, to dump information about socket states. When run without any parameters, a list of all the non-listening sockets that have established a connection is displayed:

$ ss
Netid           State           Recv-Q           Send-Q              Local Address:Port                      Peer Address:Port           Process           
u_str           ESTAB           0                0                   /run/systemd/journal/stdout 9775                                 * 9774                             
u_str           ESTAB           0                0                   /run/systemd/journal/stdout 10874                                * 10873                            
u_str           ESTAB           0                0                                             * 20988                                * 20989                            
u_str           ESTAB           0                0                                             * 10876                                * 10900                            
u_str           ESTAB           0                0                   /run/systemd/journal/stdout 10924                                * 10923                            
...
u_str           ESTAB           0                0                                             * 11117                                * 11118                            
u_str           ESTAB           0                0                   /run/dbus/system_bus_socket 20989                                * 20988                            
tcp             ESTAB           0                0                                     172.31.5.16:ssh                        86.41.94.97:50592      

We see in the State column that this system has sockets that are ESTAB, meaning established, while the Local Address:Port and Peer Address:Port columns show us the IP address and port information.

3. Filtering ss Output

Another possible TCP state is listening. By default, listening sockets are omitted from the ss command output. We can pass the state keyword as an argument to filter on the socket state, followed by the state we want to query. Here, we’re retrieving sockets that are in a listening state:

$ ss state listening
Netid           Recv-Q           Send-Q                                           Local Address:Port                       Peer Address:Port           Process           
u_str           0                4096                           /run/user/1000/systemd/private 20986                                 * 0                                
u_str           0                4096                              /run/dbus/system_bus_socket 10835                                 * 0                                
u_str           0                4096                                       /run/uuidd/request 10837                                 * 0                                
u_str           0                4096                                      /run/systemd/private 9525                                  * 0                                
u_str           0                4096                /run/systemd/userdb/io.systemd.DynamicUser 9527                                  * 0                                
...
u_str           0                4096                   /run/systemd/journal/io.systemd.journal 9588                                  * 0                                
tcp             0                128                                                    0.0.0.0:ssh                             0.0.0.0:*                                
tcp             0                128                                                       [::]:ssh                                [::]:*                                

Now, we see our output no longer has a State column because we included a state filter. As a shortcut to filter for sockets in a listening state, ss provides the -l argument. We could retrieve the same information as our previous command: ss -l.

4. Filtering on Protocol

When a connection is shown as established, it uses a protocol that ensures a reliable connection, such as TCP. ESTAB refers to one of the protocol standard states.

We can further filter down our results by protocol. By default, all protocols are included in the output. We can limit this to one type by passing the option for that protocol. The well-known protocols TCP and UDP have shortcuts -t and -u, respectively.

Here, we’re filtering on TCP connections that are in a listening state by passing the arguments –t and -l:

$ ss -lt
State                Recv-Q               Send-Q                             Local Address:Port                             Peer Address:Port              Process              
LISTEN               0                    128                                      0.0.0.0:ssh                                   0.0.0.0:*                                      
LISTEN               0                    128                                         [::]:ssh                                      [::]:*                                      
LISTEN               0                    511                                            *:http                                        *:* 

If we want to retrieve TCP socket information in all states, we can use -t followed by -a to display both listening and non-listening:

$ ss -t -a
State               Recv-Q               Send-Q                             Local Address:Port                             Peer Address:Port               Process              
LISTEN              0                    128                                      0.0.0.0:ssh                                   0.0.0.0:*                                       
ESTAB               0                    52                                   172.31.5.16:ssh                              86.40.31.143:58980                                   
LISTEN              0                    511                                            *:http                                        *:*                                       
LISTEN              0                    128                                         [::]:ssh                                      [::]:*      

These arguments provide a quick way to filter our socket list on protocol and state.

5. Summary of Connections

The number of sockets open on a host can directly impact the host’s performance. Each connection takes memory and CPU to track and manage them. While it’s theoretically possible to have many sockets open, the underlying host would need the resources to manage these effectively. On Linux hosts, we can query that limit in the file /proc/sys/fs/file-max. The file requires sudo access:

$ sudo cat /proc/sys/fs/file-max 
9223372036854775807

So, if we are concerned with just the number of open sockets and their state, ss has a shortcut parameter, -s. To get a summary of the socket statistics, we can provide the argument -s:

$ ss -s
Total: 84
TCP:   5 (estab 1, closed 1, orphaned 0, timewait 0)

Transport Total     IP        IPv6
RAW      0         0         0        
UDP      4         2         2        
TCP      4         2         2        
INET      8         4         4        
FRAG      0         0         0  

Of course, we can pipe these results to text search commands. This could be useful in scripts. Here, we’re using grep combined with cut to view the total socket count alone:

$ ss -s | grep -m1 -i total | cut -f2 -d " "
84

This time, let’s combine ss with awk to find the total:

$ ss -s | awk '/Total/ {print $2;exit;}'
84

This is a fast way to retrieve a socket count and the socket protocol.

6. Retrieving Extended Information

If we want to get the process name associated with the socket, we can use the -e parameter to include extended information in our output.

Let’s look at an example from a web server host. We’ll combine the extended parameter with restricting the output to TCP-based sockets in a listening state. Our shortcut combination is -etl:

$ ss -etl
State      Recv-Q       Send-Q              Local Address:Port               Peer Address:Port       Process                                                                  
LISTEN       0            128                       0.0.0.0:ssh                     0.0.0.0:*           ino:11052 sk:1f cgroup:/system.slice/ssh.service <->                    
LISTEN       0            511                             *:http                          *:*           ino:11953 sk:5d cgroup:/system.slice/apache2.service v6only:0 <->       
LISTEN       0            128                          [::]:ssh                        [::]:*           ino:11064 sk:21 cgroup:/system.slice/ssh.service v6only:1 <->   

The Process column shows the SSH and HTTP sockets, followed by the process details for the Apache2 web service. The format of this column is ino identifying the inode in the virtual filesystem, sk represents the universally unique id of the socket, and uid the user the socket belongs to.

7. Retrieving the Hostname

The ss command can attempt to resolve IP addresses and port combinations to hostnames using -r.

Here, we’re querying for sockets in all states using the TCP protocol. We’ll include an attempt to resolve the IP addresses:

$ ss -atr
State             Recv-Q          Send-Q                                        Local Address:Port                            Peer Address:Port          Process         
LISTEN            0               128                                                  0.0.0.0:ssh                                  0.0.0.0:*                             
ESTAB             0               52                 ip-172-31-5-16.eu-west-1.compute.internal:ssh                             86.40.31.143:58980                         
LISTEN            0               511                                                        *:http                                       *:*                             
LISTEN            0               128                                                      [::]:ssh                                     [::]:*                             
TIME-WAIT         0               0                  ip-172-31-5-16.eu-west-1.compute.internal:http                   [::ffff:86.40.31.143]:50046                         
SYN-RECV          0               0                  ip-172-31-5-16.eu-west-1.compute.internal:http                   [::ffff:86.40.31.143]:59674                         

We see in the Local Address column that it resolved the IP to the hostname.

8. Summary

In this article, we learned how to use the ss command to query socket information. 

We started with a discussion on the default information provided by ss then we saw examples of how to filter the output based on state and protocol. Further, we discussed socket count and looked at how to get a summary of the open sockets. Next, we extended the command to get process information associated with the socket. Finally, we saw how to resolve the hostname from the IP address included in the output.


« 上一篇: 如何取消作业