Linux 下 ss 命令使用示例

2018/10 29 15:10

netstat 已经过时了, ss网络命令 是功能更强大的命令 。

(本文译自 http://www.sanfoundry.com/ss-command-usage-examples-in-linux/

这篇教程解释了Linux 的“ss”命令,并通过举例给出了一些用法。

ss - socket statistics

描述

ss 用来倒出socket 的统计数据。 它显示跟 netstat 类似的信息,但能显示比其它工具更详细的TCP 状态信息。

用法
ss [选项] [过滤]

选项
如果没有指定任何选项,ss 列出所有已经建立、并不处在listen的TCP 套接字。

-h, –help

列出选项概要

-V,–version
输出版本信息

-n, –numeric
不尝试解析服务的名字

-r,–resolve
尝试解析数字地址/端口

-a,–all
显示处在listening 和 非listening 状态的套接字(对TCP来说,这意味所有已建立的连接)。

-l,–listening
只显示处在 listening 状态的套接字(默认情况下它们是被忽略的)

* -o, –options*
显示定时器信息

-e,–extended
显示详细的套接字信息

-m,–memory
显示套接字的内存使用信息

-p, –process
显示使用套接字的进程

-i, –info
显示TCP内部信息

-s,–summary
显示概要统计。该选项不分析来自不同来源的套接字概要信息。 当套接字的数量很大导致分析/proc/net/tcp 很痛苦时,它很有用。

-Z,–context
同 -p 选项,不过还显示进程的安全上下文

-z,–contexts
同 -Z, 不过还显示套接字的上下文。 该套接字上下文是从inode里取出的、并不是内核持有的实际的socket上下文。 套接子通常以创建它的进程上下文标记, 但该上下文会反映已应用上的policy role, type and/or range , 因此这是个很有用的参考。

-b,-bpf
显示套接字的BPF过滤(只有管理员能获取这些信息)

-4,–ipv4
只显示IPv4 套接字(-f inet的别名)

-6,–ipv6
只显示IPv6 套接字(-f inet6的别名)

-0,–packet
显示PACKET 套接字(-f link的别名)

-t,–tcp
显示 TCP 套接字

-u,–udp
显示UDP 套接字

-d,–dccp
显示 DCCP 套接字

-w,–raw
显示 RAW 套接字

-x,–unix
显示 Unix Domain 套接字(-f unix的别名)

-f FAMILY,–family=FAMILY
显示类型为FAMILY的套接字。 支持以下几个family: unix, inet,inet6,link,netlink

-A QUERY, –query=QUERY, –socket=QUERY 
列出需要倒出的套接字列表,用逗号隔开。 支持以下标识符: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, unix_seqpacket, packet_raw, packet_dgram

-D FILE, –diag=FILE
不显示任何内容,仅把原始TCP套接字信息存入文件FILE。 如果FILE为 - , 则使用stdout作为输出。

-F FILE, –filter=FILE
从文件FILE中读取信息。 文件的每一行被认为是单个命令行参数。 如果FILE为 - , 则使用stdin。

* FILTER := [ state TCP-STATE ] [ EXPRESSION ] *
请参考filter的官方文档(debian 包 iproute-doc).

例子
1. 显示所有的连接

 $ ss |
 less
Netid  State      Recv-Q Send-QLocal
 Address:Port       Peer Address:Port   
u_str  ESTAB      00*207499*207500
 
u_str  ESTAB      00      @/tmp/dbus-HulwP2Cqbm207393*207392
 
u_str  ESTAB      00      @/tmp/.X11-unix/X0 206529*206528
 
u_str  ESTAB      00*206446*206447
 
u_str  ESTAB      00      @/tmp/dbus-HulwP2Cqbm205775*205774
 
u_str  ESTAB      00      @/tmp/dbus-HulwP2Cqbm205578*205577
 
u_str  ESTAB      00      @/tmp/dbus-HulwP2Cqbm207082*207081
 
u_str  ESTAB      00      @/dbus-vfs-daemon/socket-eEA5oIcY228375*0
      
u_str  ESTAB      00*206971*206972
 
u_str  ESTAB      00*205301*205302
 
u_str  ESTAB      00      @/tmp/dbus-HulwP2Cqbm206668*206667
 
u_str  ESTAB      00      @/dbus-vfs-daemon/socket-rCip3gc7205882*205881
 
u_str  ESTAB      00*205170*205171
 
u_str  ESTAB      00*7967*7968
....
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17

2.把TCP连接过滤出来:

 $ ss-aAtcp
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
LISTEN     0      5               127.0.1.1:domain
                   *:*       
LISTEN     0      128             127.0.0.1:ipp
                      *:*       
CLOSE-WAIT 1      0          192.168.42.250:58390      103.245.222.184:http
TIME-WAIT  0      0          192.168.10.148:56833        74.125.236.99:http
CLOSE-WAIT 1      0          192.168.10.140:35766      103.245.222.184:http
CLOSE-WAIT 1      0          192.168.42.250:58392      103.245.222.184:http
TIME-WAIT  0      0          192.168.10.148:49839         23.57.219.27:http
ESTAB      0      0          192.168.10.148:53060        173.194.36.41:https
CLOSE-WAIT 1      0          192.168.10.140:35765      103.245.222.184:http
TIME-WAIT  0      0          192.168.10.148:47000        74.125.28.100:http
CLOSE-WAIT 1      0          192.168.42.250:58391      103.245.222.184:http
TIME-WAIT  0      0          192.168.10.148:38878        173.194.36.46:http
CLOSE-WAIT 1      0          192.168.10.140:35763      103.245.222.184:http
CLOSE-WAIT 1      0          192.168.10.140:35764      103.245.222.184:http
CLOSE-WAIT 1      0          192.168.42.250:58389      103.245.222.184:http
LISTEN     0      128                   ::1:ipp
                     :::*       
CLOSE-WAIT 1      0                     ::1:55327::1:ipp
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19

$ ss-at
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
LISTEN     0      5               127.0.1.1:domain
                   *:*       
LISTEN     0      128             127.0.0.1:ipp
                      *:*       
CLOSE-WAIT 1      0          192.168.42.250:58390      103.245.222.184:http
TIME-WAIT  0      0          192.168.10.148:56833        74.125.236.99:http
CLOSE-WAIT 1      0          192.168.10.140:35766      103.245.222.184:http
CLOSE-WAIT 1      0          192.168.42.250:58392      103.245.222.184:http
TIME-WAIT  0      0          192.168.10.148:49839         23.57.219.27:http
ESTAB      0      0          192.168.10.148:53060        173.194.36.41:https
CLOSE-WAIT 1      0          192.168.10.140:35765      103.245.222.184:http
TIME-WAIT  0      0          192.168.10.148:47000        74.125.28.100:http
CLOSE-WAIT 1      0          192.168.42.250:58391      103.245.222.184:http
TIME-WAIT  0      0          192.168.10.148:38878        173.194.36.46:http
CLOSE-WAIT 1      0          192.168.10.140:35763      103.245.222.184:http
CLOSE-WAIT 1      0          192.168.10.140:35764      103.245.222.184:http
CLOSE-WAIT 1      0          192.168.42.250:58389      103.245.222.184:http
LISTEN     0      128                   ::1:ipp
                     :::*       
CLOSE-WAIT 1      0                     ::1:55327::1:ipp
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19

3.过滤出UDP连接

$ 
ss -aA udp
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
UNCONN00                       *:58718                    *:*
UNCONN00127.0.1.1:domain                   *:*
UNCONN00                       *:bootpc                   *:*
UNCONN00                       *:mdns                     *:*
UNCONN00                       *:27412                    *:*
UNCONN00:::62912:::*
UNCONN00:::mdns:::*
UNCONN00:::46372:::*
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

$ 
ss -au
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
UNCONN00                       *:58718                    *:*
UNCONN00127.0.1.1:domain                   *:*
UNCONN00                       *:bootpc                   *:*
UNCONN00                       *:mdns                     *:*
UNCONN00                       *:27412                    *:*
UNCONN00:::62912:::*
UNCONN00:::mdns:::*
UNCONN00:::46372:::*
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

4.不解析主机名
为了加快输出的速度,用”n”选项防止ss 解析IP地址到主机名。不过这同样阻止了对端口名的解析。

 $ ss-nt
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
CLOSE-WAIT 1      0            192.168.42.250:58390      103.245.222.184:80
ESTAB      0      0            192.168.10.148:56390       63.245.216.132:443
CLOSE-WAIT 1      0            192.168.10.140:35766      103.245.222.184:80
CLOSE-WAIT 1      0            192.168.42.250:58392      103.245.222.184:80
CLOSE-WAIT 1      0            192.168.10.140:35765      103.245.222.184:80
CLOSE-WAIT 1      0            192.168.42.250:58391      103.245.222.184:80
CLOSE-WAIT 1      0            192.168.10.140:35763      103.245.222.184:80
CLOSE-WAIT 1      0            192.168.10.140:35764      103.245.222.184:80
CLOSE-WAIT 1      0            192.168.42.250:58389      103.245.222.184:80
CLOSE-WAIT 1      0                       ::1:55327::1:631
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12

5.只显示监听的套接字

$ 
ss -lnt
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
LISTEN05127.0.1.1:53                       *:*
LISTEN0128127.0.0.1:631                      *:*
LISTEN0128::1:631:::*
  • 1
  • 2
  • 3
  • 4
  • 5

6.打印进程名和进程号

# ss -ltp
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
LISTEN05127.0.1.1:domain                   *:*users:(("dnsmasq",1199,5
))
LISTEN0128127.0.0.1:ipp                      *:*users:(("cupsd",793,10
))
LISTEN0128::1:ipp:::*users:(("cupsd",793,9))
  • 1
  • 2
  • 3
  • 4
  • 5

7.打印统计概要


$ ss -s
Total: 648 (kernel 0
)
TCP:   12 (estab 0, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0



Transport Total
     IP        IPv6
*     0
         -         -        
RAW   000
        
UDP   853
        
TCP   12102
        
INET      20155
        
FRAG      000
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

8.仅显示IPv4 或 IPv6 连接

$ 
ss -tl -f inet
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
LISTEN05127.0.1.1:domain                   *:*
LISTEN0128127.0.0.1:ipp                      *:*


$ 
ss -tl6
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
LISTEN0128::1:ipp:::*
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

10 列出处在 time-wait 状态的 IPv4 套接字



$ ss-t4statetime-wait
Recv-QSend-QLocalAddress:PortPeerAddress:Port
   
0      0                192.168.1.2:42261           199.59.150.39:https
   
0      0                  127.0.0.1:43541               127.0.0.1:2633
  • 1
  • 2
  • 3
  • 4
  • 5

注意: 状态可以是以下任意一种

stablished
yn-sent
yn-recv
in-wait-1
in-wait-2
ime-wait
losed
lose-wait
ast-ack
closing
all – All of the above states
connected – All the states except for listen and closed
synchronized – All the connected states except for syn-sent
bucket – Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
big – Opposite to bucket state.

11 显示所有源端口或目的端口为 ssh 的套接字

$ ss -at '( dport = :ssh or sport = :ssh )'
StateRecv-QSend-QLocalAddress:PortPeerAddress:Port
LISTEN0128                   *:ssh                    *:*
LISTEN0128:::ssh:::*
  • 1
  • 2
  • 3
  • 4

12 显示目的端口是443或80的套接字



$ ss -nt'( dst :443 or dst :80 )'

State      Recv-Q Send-QLocal
 Address:Port          Peer Address:Port 
CLOSE-WAIT10192.168.42.250:58390103.245.222.184:80
    
CLOSE-WAIT10192.168.10.140:35766103.245.222.184:80
    
CLOSE-WAIT10192.168.42.250:58392103.245.222.184:80
    
CLOSE-WAIT10192.168.10.140:35765103.245.222.184:80
    
CLOSE-WAIT10192.168.42.250:58391103.245.222.184:80
    
CLOSE-WAIT10192.168.10.140:35763103.245.222.184:80
    
CLOSE-WAIT10192.168.10.140:35764103.245.222.184:80
    
CLOSE-WAIT10192.168.42.250:58389103.245.222.184:80
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

13 对地址和端口过滤

$ ss -nt dst 103.245.222.184:80
State Recv-Q Send-Q Local Address:Port Peer Address:Port
CLOSE-WAIT 1 0 192.168.42.250:58390 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.10.140:35766 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.42.250:58392 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.10.140:35765 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.42.250:58391 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.10.140:35763 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.10.140:35764 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.42.250:58389 103.245.222.184:80

14 仅过滤端口

$ ss -nt dport = :80
State Recv-Q Send-Q Local Address:Port Peer Address:Port
CLOSE-WAIT 1 0 192.168.42.250:58390 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.10.140:35766 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.42.250:58392 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.10.140:35765 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.42.250:58391 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.10.140:35763 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.10.140:35764 103.245.222.184:80
CLOSE-WAIT 1 0 192.168.42.250:58389 103.245.222.184:80

15 显示对方端口号小于100的套接字

# ss -nt dport \< :100

16 显示端口号大于1024的套接字

# sudo ss -nt sport gt :1024

17 显示对方端口是 80的套接字

sudo ss -nt state connected dport = :80

--转载请注明: http://91o.cc/linux-%e4%b8%8b-ss-%e5%91%bd%e4%bb%a4%e4%bd%bf%e7%94%a8%e7%a4%ba%e4%be%8b/

发表回复

(必填)