Matt Oswalt

ss

ss manpage

Generally ss is viewed as the better, more modern successor to netstat - prefer using ss for inspecting local sockets

Use sudo!

Without root permissions, not all sockets will show the corresponding process when using the -p flag. Good idea to include this particularly if you’re trying to match on process ID or name

Show all possible sockets matching a process expression:

1ss -ap | sed -n "1p; /$(pgrep -f 'python3 sock_stream_server.py')/p"

The main flags I use to filter on socket types:

  • -t - TCP
  • -u - UDP
  • -w - raw
  • -x - unix
  • --xdp - xdp…obvi
Examples
1mierdin@t-bug:~/socket-examples $ ss -tp | sed -n '1p; /python3/p'
2State   Recv-Q Send-Q Local Address:Port   Peer Address:Port Process
3LISTEN  0      128        127.0.0.1:8123        0.0.0.0:*     users:(("python3",pid=100464,fd=3))
4ESTAB   0      0          127.0.0.1:57920     127.0.0.1:8123  users:(("python3",pid=100465,fd=3))
5ESTAB   0      0          127.0.0.1:8123      127.0.0.1:57920 users:(("python3",pid=100464,fd=4))

Next, UDP (dgram) - note that the -a flag was required here because these are unconnected sockets.

1mierdin@t-bug:~/socket-examples $ ss -aup | sed -n '1p; /python3/p'
2State  Recv-Q Send-Q Local Address:Port   Peer Address:Port Process
3UNCONN 0      0          127.0.0.1:8123        0.0.0.0:*    users:(("python3",pid=109786,fd=3))
4UNCONN 0      0            0.0.0.0:41778       0.0.0.0:*    users:(("python3",pid=109822,fd=3))

Another dgram but with a connected client socket instead. We can omit the -a flag and now the state columns goes away as without -a ss only shows ESTAB:

1mierdin@t-bug:~ $ ss -up | sed -n '1p; /python3/p'
2Recv-Q Send-Q Local Address:Port  Peer Address:Port Process
30      0          127.0.0.1:44002    127.0.0.1:8321 users:(("python3",pid=130114,fd=3))
1mierdin@t-bug:~/socket-examples $ ss -xp | sed -n '1p; /python3/p'
2Netid State  Recv-Q Send-Q           Local Address:Port   Peer Address:Port Process
3u_seq LISTEN 0      0       /tmp/myunixsocket.sock 368616            * 0    users:(("python3",pid=121816,fd=3))
4u_seq ESTAB  0      0       /tmp/myunixsocket.sock 368617            * 0    users:(("python3",pid=121816,fd=4))
5u_seq ESTAB  0      0                            * 371934            * 0    users:(("python3",pid=121817,fd=3))

Filter-related flags:

  • -a shows all sockets regardless of state. Omitting shows only ESTAB
  • -p says show process - note that this may require sudo for certain processes to show

Optional “include more info” flags:

  • -o shows timers. Particularly useful if you’re filtering on state (e.g. finding how long sockets have been in time-wait for example)
  • -m - memory usage
  • -e extended info, particularly useful for checking inode (this can help find client sockets for AF_UNIX)

ss supports pretty cool expressions after all the flags as well.

Show all time-wait sockets destined for port 443 from a source prefix:

1ss -o state time-wait '( dport = :https )' src 104.28.0.0/16

what is send-q and recv-q?

These are the current usage of the socket buffers. Note that this is not the total capacity, that’s set by SO_RCVBUF and SO_SNDBUF. ss won’t show the total capacity unless you both specify --inet-sockopt AND SO_RCVBUF or SO_SNDBUF is a non-default.

Annoyances

--inet-sockopt says “Display inet socket options”. It doesn’t actually do this. It shows internal kernel flags / state indicators, not socket options in the getsockopts() sense.

Example
1mierdin@t-bug:~ $ ss -t --inet-sockopt
2State             Recv-Q              Send-Q                           Local Address:Port                            Peer Address:Port              Process
3ESTAB             0                   0                                    127.0.0.1:57920                              127.0.0.1:8123
4        inet-sockopt: ( is_icsk mc_loop mc_all)

There’s also the -l or --listen flag - the manpage says listening sockets are omitted by default but in the example below this doesn’t seem to be true, and when added it just filters out ESTAB sockets. So it’s sort of the opposite of the -a flag.

Example
 1mierdin@t-bug:~/socket-examples $ ss -ap | sed -n '1p; /python3/p'
 2Netid State  Recv-Q Send-Q                                                       Local Address:Port                 Peer Address:Port Process
 3
 4u_seq LISTEN 0      0                                                   /tmp/myunixsocket.sock 368616                          * 0     users:(("python3",pid=121816,fd=3))
 5
 6u_seq ESTAB  0      0                                                   /tmp/myunixsocket.sock 368617                          * 0     users:(("python3",pid=121816,fd=4))
 7
 8u_seq ESTAB  0      0                                                                        * 371934                          * 0     users:(("python3",pid=121817,fd=3))
 9
10udp   UNCONN 0      0                                                                127.0.0.1:8123                      0.0.0.0:*     users:(("python3",pid=109786,fd=3))
11
12udp   UNCONN 0      0                                                                  0.0.0.0:41778                     0.0.0.0:*     users:(("python3",pid=109822,fd=3))
13
14tcp   LISTEN 0      128                                                              127.0.0.1:8123                      0.0.0.0:*     users:(("python3",pid=100464,fd=3))
15
16tcp   ESTAB  0      0                                                                127.0.0.1:57920                   127.0.0.1:8123  users:(("python3",pid=100465,fd=3))
17
18tcp   ESTAB  0      0                                                                127.0.0.1:8123                    127.0.0.1:57920 users:(("python3",pid=100464,fd=4))
19
20mierdin@t-bug:~/socket-examples $ ss -alp | sed -n '1p; /python3/p'
21Netid State  Recv-Q Send-Q                                                       Local Address:Port                 Peer Address:PortProcess
22u_seq LISTEN 0      0                                                   /tmp/myunixsocket.sock 368616                          * 0    users:(("python3",pid=121816,fd=3))
23udp   UNCONN 0      0                                                                127.0.0.1:8123                      0.0.0.0:*    users:(("python3",pid=109786,fd=3))
24udp   UNCONN 0      0                                                                  0.0.0.0:41778                     0.0.0.0:*    users:(("python3",pid=109822,fd=3))
25tcp   LISTEN 0      128                                                              127.0.0.1:8123                      0.0.0.0:*    users:(("python3",pid=100464,fd=3))
Prev
Sockets
Next
What Is This?