ss命令
ss是Socket Statistics的缩写。ss命令用来显示处于活动状态的套接字信息。它可以显示和netstat类似的内容。但ss的优势在于它能够显示更多更详细的有关TCP和连接状态的信息,而且比netstat更快速更高效。
当服务器的socket连接数量变得非常大时,无论是使用netstat命令还是直接cat /proc/net/tcp,执行速度都会很慢。可能你不会有切身的感受,但当服务器维持的连接达到上万个的时候,使用netstat等于浪费生命,而用ss才是节省时间。天下武功唯快不破。ss快的秘诀在于,它利用到了TCP协议栈中tcp_diag。tcp_diag是一个用于分析统计的模块,可以获得Linux内核中第一手的信息,这就确保了ss的快捷高效。当然,如果你的系统中没有tcp_diag,ss也可以正常运行,只是效率会变得稍慢。(但仍然比 netstat要快。)
语法格式
ss [参数]
命令功能
ss(Socket Statistics 的缩写)命令可以用来获取socket统计信息,此命令输出的结果类似于 netstat输出的内容,但它能显示更多更详细的 TCP连接状态的信息,且比 netstat更快速高效。它使用了 TCP协议栈中tcp_diag(是一个用于分析统计的模块),能直接从获得第一手内核信息,这就使得ss命令快捷高效。在没有tcp_diag,ss也可以正常运行。
常用参数
-h, --help 帮助信息
-V, --version 程序版本信息
-n, --numeric 不解析服务名称
-r, --resolve 解析主机名
-a, --all 显示所有套接字(sockets)
-l, --listening 显示监听状态的套接字(sockets)
-o, --options 显示计时器信息
-e, --extended 显示详细的套接字(sockets)信息
-m, --memory 显示套接字(socket)的内存使用情况
-p, --processes 显示使用套接字(socket)的进程
-i, --info 显示 TCP内部信息
-s, --summary 显示套接字(socket)使用概况
-4, --ipv4 仅显示IPv4的套接字(sockets)
-6, --ipv6 仅显示IPv6的套接字(sockets)
-0, --packet 显示 PACKET 套接字(socket)
-t, --tcp 仅显示 TCP套接字(sockets)
-u, --udp 仅显示 UCP套接字(sockets)
-d, --dccp 仅显示 DCCP套接字(sockets)
-w, --raw 仅显示 RAW套接字(sockets)
-x, --unix 仅显示 Unix套接字(sockets)
-f, --family=FAMILY 显示 FAMILY类型的套接字(sockets),FAMILY可选,支持 unix, inet, inet6, link, netlink
-A, --query=QUERY, --socket=QUERY
QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]
-D, --diag=FILE 将原始TCP套接字(sockets)信息转储到文件
-F, --filter=FILE 从文件中都去过滤器信息
FILTER := [ state TCP-STATE ] [ EXPRESSION ]
使用示例
- 1.显示所有TCP套接字:
ss -ta
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:ssh *:*
LISTEN 0 100 127.0.0.1:smtp *:*
ESTAB 0 96 192.168.172.101:ssh 192.168.172.1:52859
LISTEN 0 128 :::ssh :::*
LISTEN 0 100 ::1:smtp :::*
- 2.显示所有UDP套接字:
ss -ua
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 127.0.0.1:323 *:*
UNCONN 0 0 ::1:323 :::*
- 3.显示sockets套接字使用概况:
ss -s
Total: 562 (kernel 819)
TCP: 5 (estab 1, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0
Transport Total IP IPv6
* 819 - -
RAW 0 0 0
UDP 2 1 1
TCP 5 3 2
INET 7 4 3
FRAG 0 0 0
- 4.查看主机监听的端口:
ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
可以看到,本机开启了22和25两个端口,也就是smtp服务25端口,ssh服务22端口。
- 5.通过-r选项解析IP和端口号
ss -tlr
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:ssh *:*
LISTEN 0 100 localhost:smtp *:*
LISTEN 0 128 :::ssh :::*
LISTEN 0 100 localhost:smtp :::*
- 6.通过-p选项查看监听端口的程序名称
ss -tlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:ssh *:* users:(("sshd",pid=958,fd=3))
LISTEN 0 100 127.0.0.1:smtp *:* users:(("master",pid=1083,fd=13))
LISTEN 0 128 :::ssh :::* users:(("sshd",pid=958,fd=4))
LISTEN 0 100 ::1:smtp :::* users:(("master",pid=1083,fd=14))
- 7.可以通过grep对监听端口进行进一步过滤
ss -tlp|grep ssh
LISTEN 0 128 *:ssh *:* users:(("sshd",pid=958,fd=3))
LISTEN 0 128 :::ssh :::* users:(("sshd",pid=958,fd=4))
- 8.查看建立的TCP连接
ss -tna
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
ESTAB 0 96 192.168.172.101:22 192.168.172.1:52859
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
ESTAB这一行表示,192.168.172.1:52859这个机器通过ssh连接到了192.168.172.101,这个机器使用的是默认的ssh端口。
- 9.显示所有已建立的SMTP连接
ss -o state established '( dport = :smtp or sport = :smtp )'
Netid Recv-Q Send-Q
- 10.显示所有已建立的HTTP连接
ss -o state established '( dport = :http or sport = :http )'
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port
- 11.找出所有连接X服务器的进程
ss -x src /tmp/.X11-unix/*
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
- 12.列出处在FIN-WAIT-1状态的http、https连接
ss -o state fin-wait-1 '( sport = :http or sport = :https )'
ss常用的state状态:
established
syn-sent
syn-recv
fin-wait-1
fin-wait-2
time-wait
closed
close-wait
last-ack
listen
closing
all : All of the above states
connected : All the states except for listen and closed
synchronized : All the connected states except for syn-sent
bucket : Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
big : Opposite to bucket state.
主动连接端可能的状态有: CLOSED SYN_SEND ESTABLISHED
主动关闭端可能的状态有: FIN_WAIT_1 FIN_WAIT_2 TIME_WAIT
被动连接端可能的状态有: LISTEN SYN_RECV ESTABLISHED
被动关闭端可能的状态有: CLOSE_WAIT LAST_ACK CLOSED
- 13.列出处在FIN-WAIT-1状态的源端口为80或443,目标网络为172.16.108.0/24所有tcp套接字。
ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 172.16.108.0/24
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port
- 14.用TCP状态过滤sockets
命令:
ss -4 state FILTER_NAME_HERE
ss -6 state FILTER_NAME_HERE
输出:
ss -4 state established
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp 0 0 172.16.108.119:4505 172.16.108.119:23549
tcp 0 0 172.16.108.119:45156 172.16.108.119:4506
tcp 0 96 172.16.108.119:ssh 172.16.31.18:49807
tcp 0 0 172.16.108.119:23549 172.16.108.119:4505
tcp 0 0 172.16.108.119:4506 172.16.108.119:45156
- 15.匹配远程地址和端口号
命令:
ss dst ADDRESS_PATTERN
ss dst 172.16.108.119
ss dst 172.16.108.119:http
ss dst 172.16.108.119:smtp
ss dst 172.16.108.119:443
输出:
ss dst 172.16.108.119
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 172.16.108.119:4505 172.16.108.119:23549
tcp ESTAB 0 0 172.16.108.119:45156 172.16.108.119:4506
tcp ESTAB 0 0 172.16.108.119:23549 172.16.108.119:4505
tcp ESTAB 0 0 172.16.108.119:4506 172.16.108.119:45156
tcp ESTAB 0 0 ::ffff:172.16.108.119:4888 ::ffff:172.16.108.119:60242
tcp ESTAB 0 0 ::ffff:172.16.108.119:38387 ::ffff:172.16.108.119:ciphire-serv
tcp ESTAB 0 0 ::ffff:172.16.108.119:57722 ::ffff:172.16.108.119:eforward
tcp ESTAB 0 0 ::ffff:172.16.108.119:9092 ::ffff:172.16.108.119:39087
tcp ESTAB 0 0 ::ffff:172.16.108.119:39087 ::ffff:172.16.108.119:9092
tcp ESTAB 0 0 ::ffff:172.16.108.119:32168 ::ffff:172.16.108.119:9093
tcp ESTAB 0 0 ::ffff:172.16.108.119:60242 ::ffff:172.16.108.119:4888
tcp ESTAB 0 0 ::ffff:172.16.108.119:eforward ::ffff:172.16.108.119:57722
tcp ESTAB 0 0 ::ffff:172.16.108.119:19587 ::ffff:172.16.108.119:cgn-stat
tcp ESTAB 0 0 ::ffff:172.16.108.119:33942 ::ffff:172.16.108.119:ciphire-serv
tcp ESTAB 0 0 ::ffff:172.16.108.119:cgn-stat ::ffff:172.16.108.119:19587
tcp ESTAB 0 0 ::ffff:172.16.108.119:9093 ::ffff:172.16.108.119:32168
tcp ESTAB 0 0 ::ffff:172.16.108.119:ciphire-serv ::ffff:172.16.108.119:38387
tcp ESTAB 0 0 ::ffff:172.16.108.119:ciphire-serv ::ffff:172.16.108.119:33942
ss dst 172.16.108.119:4888
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 ::ffff:172.16.108.119:60242 ::ffff:172.16.108.119:4888
ss dst 172.16.108.119:ssh
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
- 16.匹配本机地址和端口号
命令:
ss src ADDRESS_PATTERN
ss src 172.16.108.119
ss src 172.16.108.119:http
ss src 172.16.108.119:80
ss src 172.16.108.119:smtp
ss src 172.16.108.119:25
输出:
ss src 172.16.108.119
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 172.16.108.119:4505 172.16.108.119:23549
tcp ESTAB 0 96 172.16.108.119:ssh 172.16.31.18:64660
tcp ESTAB 0 0 172.16.108.119:45156 172.16.108.119:4506
tcp ESTAB 0 0 172.16.108.119:23549 172.16.108.119:4505
tcp ESTAB 0 0 172.16.108.119:4506 172.16.108.119:45156
tcp ESTAB 0 0 ::ffff:172.16.108.119:4888 ::ffff:172.16.108.119:60242
tcp ESTAB 0 0 ::ffff:172.16.108.119:9200 ::ffff:172.16.108.152:49366
tcp ESTAB 0 0 ::ffff:172.16.108.119:9200 ::ffff:172.16.108.152:38657
tcp ESTAB 0 0 ::ffff:172.16.108.119:38387 ::ffff:172.16.108.119:ciphire-serv
tcp ESTAB 0 0 ::ffff:172.16.108.119:57722 ::ffff:172.16.108.119:eforward
tcp ESTAB 0 0 ::ffff:172.16.108.119:9200 ::ffff:172.16.108.155:53303
tcp ESTAB 0 0 ::ffff:172.16.108.119:9092 ::ffff:172.16.108.119:39087
tcp ESTAB 0 0 ::ffff:172.16.108.119:39087 ::ffff:172.16.108.119:9092
tcp ESTAB 0 0 ::ffff:172.16.108.119:ciphire-serv ::ffff:172.16.108.119:34014
tcp ESTAB 0 0 ::ffff:172.16.108.119:32168 ::ffff:172.16.108.119:9093
tcp ESTAB 0 0 ::ffff:172.16.108.119:60242 ::ffff:172.16.108.119:4888
tcp ESTAB 0 0 ::ffff:172.16.108.119:eforward ::ffff:172.16.108.119:57722
tcp ESTAB 0 0 ::ffff:172.16.108.119:34014 ::ffff:172.16.108.119:ciphire-serv
tcp ESTAB 0 0 ::ffff:172.16.108.119:19587 ::ffff:172.16.108.119:cgn-stat
tcp ESTAB 0 0 ::ffff:172.16.108.119:cgn-stat ::ffff:172.16.108.119:19587
tcp ESTAB 0 0 ::ffff:172.16.108.119:9200 ::ffff:172.16.108.155:30525
tcp ESTAB 0 0 ::ffff:172.16.108.119:9093 ::ffff:172.16.108.119:32168
tcp ESTAB 0 0 ::ffff:172.16.108.119:9200 ::ffff:172.16.108.155:44191
tcp ESTAB 0 0 ::ffff:172.16.108.119:ciphire-serv ::ffff:172.16.108.119:38387
tcp ESTAB 0 0 ::ffff:172.16.108.119:9200 ::ffff:172.16.108.152:41656
- 17.将本地或者远程端口和一个数比较
命令:
ss dport OP PORT
ss sport OP PORT
输出:
[root@devops03 ~]# ss sport = :http
[root@devops03 ~]# ss dport = :http
[root@devops03 ~]# ss dport \> :1024
[root@devops03 ~]# ss sport \> :1024
[root@devops03 ~]# ss sport \< :32000
[root@devops03 ~]# ss sport eq :22
[root@devops03 ~]# ss dport != :22
[root@devops03 ~]# ss state connected sport = :http
[root@devops03 ~]# ss \( sport = :http or sport = :https \)
[root@devops03 ~]# ss -o state fin-wait-1 \( sport = :http or sport = :https \) dst 172.16.108.0/24
说明:
ss dport OP PORT 远程端口和一个数比较;ss sport OP PORT 本地端口和一个数比较。
OP 可以代表以下任意一个:
<= or le : 小于或等于端口号 >= or ge : 大于或等于端口号
== or eq : 等于端口号
!= or ne : 不等于端口号
< or gt : 小于端口号 > or lt : 大于端口号
- 18.ss 和 netstat 效率对比
命令:
time netstat -at
time ss
输出:
[root@devops03 ~]# time ss
real 0m0.015s
user 0m0.004s
sys 0m0.010s
[root@devops03 ~]# time netstat -antlp
real 0m0.100s
user 0m0.006s
sys 0m0.073s
说明:用time命令分别获取通过netstat和ss命令获取程序和概要占用资源所使用的时间。在服务器连接数比较多的时候,netstat的效率完全没法和ss比。
浙公网安备 33010602011771号