cqc3073
12/21/2017 - 2:40 AM

ss命令

ss命令

ss.md
content_copyfile_download
  • Rendered
  • Source

ss命令

ss应该是socket statistics的简写,表示socket的统计信息。和netstat的命令相似,但比其能显示更多的信息

语法

ss [options] [ FILTER ]

选项

-h, --help

帮助

-V, --version

显示ss版本

-n, --numeric

将host显示成IP,将端口名称(ftp)转成数字

-r, --resolve

尝试将ip、端口转成对应的host和端口名称

-a, --all

显示所有的sockets

-l, --listening

仅显示处于监听的sockets

-o, --options

显示timer。
timer:(keepalive,114min,0)
114min是距离下次发keepalive的间隔 0 表示已经发送过几个keepalive

下面是相关的几个参数

# 表示发送keepalive的时间间隔,单位:秒
cat /proc/sys/net/ipv4/tcp_keepalive_time => 7200
# 表示最多发送9次keepalive探测包,若对端还未回应则关闭连接
cat /proc/sys/net/ipv4/tcp_keepalive_probes => 9
# 表示每次发送keepalive探测包的时间间隔,单位:秒
cat /proc/sys/net/ipv4/tcp_keepalive_intvl => 75

netstat的timer有点不同,参考这个文章

-e, --extended

显示详细信息

$ ss -ntp dport = :10000 | head
State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
ESTAB      69980  0      10.111.96.255:53510              10.111.96.255:10000              
ESTAB      0      0      10.111.96.255:60738              10.111.96.255:10000              
ESTAB      113522 0      10.111.96.255:35746              10.111.96.255:10000              
ESTAB      103886 0      10.111.96.255:52482              10.111.96.255:10000              
ESTAB      114003 0      10.111.96.255:40306              10.111.96.255:10000              
ESTAB      29420  0      10.111.96.255:36822              10.111.96.255:10000              
ESTAB      0      0      10.111.96.255:53620              10.111.96.255:10000              
ESTAB      46     0      10.111.96.255:59628              10.111.96.255:10000              
ESTAB      73423  0      10.111.96.255:53444              10.111.96.255:10000

$ ss -ntpe dport = :10000 | head
State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
ESTAB      69980  0      10.111.96.255:53510              10.111.96.255:10000               timer:(keepalive,56min,0) uid:1013 ino:504630510 sk:ffff881e44b964c0 <->
ESTAB      0      0      10.111.96.255:60738              10.111.96.255:10000               timer:(keepalive,47min,0) uid:1013 ino:504782353 sk:ffff881a89f8dd00 <->
ESTAB      113522 0      10.111.96.255:35746              10.111.96.255:10000               timer:(keepalive,54min,0) uid:1013 ino:505099885 sk:ffff880a38b6ae80 <->
ESTAB      103886 0      10.111.96.255:52482              10.111.96.255:10000               timer:(keepalive,55min,0) uid:1013 ino:504625727 sk:ffff881b78f69740 <->
ESTAB      114003 0      10.111.96.255:40306              10.111.96.255:10000               timer:(keepalive,47min,0) uid:1013 ino:505091859 sk:ffff881b4f3a3640 <->
ESTAB      29420  0      10.111.96.255:36822              10.111.96.255:10000               timer:(keepalive,54min,0) uid:1013 ino:504803958 sk:ffff881e46ecb640 <->
ESTAB      0      0      10.111.96.255:53620              10.111.96.255:10000               timer:(keepalive,42min,0) uid:1013 ino:504667513 sk:ffff881ca92a45c0 <->
ESTAB      46     0      10.111.96.255:59628              10.111.96.255:10000               timer:(keepalive,47min,0) uid:1013 ino:509119803 sk:ffff881a1166c5c0 <->
ESTAB      73423  0      10.111.96.255:53444              10.111.96.255:10000               timer:(keepalive,57min,0) uid:1013 ino:504624485 sk:ffff880123de7440 <->

-m, --memory

显示内存使用

State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
ESTAB      69980  0      10.111.96.255:53510              10.111.96.255:10000              skmem:(r72696,rb1061296,t0,tb2626560,f1032,w0,o0,bl0)

-p, --processes

显示相关的进程信息(需要启动用户或root才能显示进程)

sudo ss -ntpm dport = :10000
State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
ESTAB      69980  0      10.111.96.255:53510              10.111.96.255:10000               users:(("java",pid=16607,fd=557))

-i, --info

Show internal TCP information.

sudo ss -nti dport = :10000 | head
State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
ESTAB      69980  0      10.111.96.255:53510              10.111.96.255:10000              
     cubic wscale:7,7 rto:204 rtt:3.725/7.328 ato:40 mss:65468 cwnd:10 ssthresh:7 bytes_acked:64493 bytes_received:620668 segs_out:977 segs_in:1549 send 1406.0Mbps lastsnd:76924115 lastrcv:76924086 lastack:4812456 pacing_rate 2811.6Mbps rcv_rtt:3830 rcv_space:43690

-s, --summary

输出摘要信息

sudo ss -s
Total: 1417 (kernel 2653)
TCP:   1563 (estab 1049, closed 430, orphaned 0, synrecv 0, timewait 417/0), ports 0

Transport Total     IP        IPv6
*     2653      -         -        
RAW   0         0         0        
UDP   17        15        2        
TCP   1133      1133      0        
INET      1150      1148      2        
FRAG      0         0         0

-4, --ipv4

Display only IP version 4 sockets (alias for -f inet).

-6, --ipv6

Display only IP version 6 sockets (alias for -f inet6).

-0, --packet

Display PACKET sockets.

-t, --tcp

Display only TCP sockets.

-u, --udp

Display only UDP sockets.

-d, --dccp

Display only DCCP sockets.

-w, --raw

Display only RAW sockets.

-x, --unix

Display only Unix domain sockets.

-f FAMILY, --family=FAMILY

Display sockets of type FAMILY. Currently the following families are supported: unix, inet, inet6, link, netlink.

-A QUERY, --query=QUERY, --socket=QUERY

List of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, packet_raw, packet_dgram.

-D FILE, --diag=FILE

Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used.

-F FILE, --filter=FILE

Read filter information from FILE. Each line of FILE is interpreted like single command line option. If FILE is - stdin is used.

FILTER := [ state TCP-STATE ] [ EXPRESSION ]

Please take a look at the official documentation (Debian package iproute-doc) for details regarding filters. 每个filter间是and关系,若需or关系需要使用(filter1 or filter2)的形式

ss -o state fin-wait-1 ’( sport = :http or sport = :https )’ dst 193.233.7/24

实践

# 根据端口
ss sport = :80
ss sport = :http
ss dport = :80
ss '(sport = :80 or dport = :80)'

# 根据ip
ss src xxx.xxx.xxx.xxx
ss dst xxx.xxx.xxx.xxx

# 根据ip:port
ss src xxx.xxx.xxx.xxx:80
ss dst xxx.xxx.xxx.xxx:80

# 根据结果进行排序
ss sport = :80 | sort -n -r -k 3

# 显示已建立连接的ssh
ss -o state established ’( dport = :ssh or sport = :ssh )’