ss即socket state,也就是说,是可以查看系统中socket的状态的。我们可以用netstat,但为什么还要用ss这个工具呢,当然ss也是有好处的。当我们打开的socket数量很多时,netstat就会变得慢了。
我们先来看看ss的使用格式:
1: [root@redhat ~]# ss ?2: ss: bison bellows (while parsing filter): "syntax error!" Sorry.
3: Usage: ss [ OPTIONS ] 4: ss [ OPTIONS ] [ FILTER ] 5: -h, --help this message 6: -V, --version output version information 7: -n, --numeric don't resolve service names 8: -r, --resolve resolve host names 9: -a, --all display all sockets 10: -l, --listening display listening sockets 11: -o, --options show timer information 12: -e, --extended show detailed socket information 13: -m, --memory show socket memory usage 14: -p, --processes show process using socket 15: -i, --info show internal TCP information 16: -s, --summary show socket usage summary 17: 18: -4, --ipv4 display only IP version 4 sockets 19: -6, --ipv6 display only IP version 6 sockets 20: -0, --packet display PACKET sockets 21: -t, --tcp display only TCP sockets 22: -u, --udp display only UDP sockets 23: -d, --dccp display only DCCP sockets 24: -w, --raw display only RAW sockets 25: -x, --unix display only Unix domain sockets 26: -f, --family=FAMILY display sockets of type FAMILY 27: 28: -A, --query=QUERY 29: QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY] 30: 31: -F, --filter=FILE read filter information from FILE 32: FILTER := [ state TCP-STATE ] [ EXPRESSION ] 33: [root@redhat ~]#
ss的强大之处,大于可以设定过滤条件,我们可以根据socket的状态来进行过滤,也可通过端口与ip地址进行过滤。也就是我们在命令格式里面看到的STATE-FILTER与ADDRESS-FILTER。
首先看看STATE-FILTER,STATE-FILTER可用的过滤条件有:
1. 所有的TCP状态,包含:established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen and closing.
2. all,包含所有的状态。
3. connected,除了listen与closed的所有其它状态。
4. synchronized,除了syn-sent的所有connected的状态。
5. bucket
6. big
使用时,如:
$ ss state connected再看看ADDRESS-FILTER,ADDRESS-FILTER用于过滤端口与地址。而且可以进行表达式组合。可用的子表达式有:
1. dst ADDRESS_PATTERN
2. src ADDRESS_PATTERN
3. dport RELOP PORT
4. sport RELOP PORT
5. autobound
其中ADDRESS_PATTERN为ip地址与端口匹配,ip:port,可以用*代替。RELOP为<= >=或==。
如:
1: [root@redhat ~]# ss dst 169.254.7.12: State Recv-Q Send-Q Local Address:Port Peer Address:Port
3: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45831 4: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45827 5: ESTAB 0 0 169.254.6.1:36202 169.254.7.1:37520 6: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45832 7: ESTAB 0 0 169.254.0.1:11001 169.254.7.1:39425 8: ESTAB 0 0 169.254.0.1:11003 169.254.7.1:57108 9: ESTAB 0 0 169.254.0.1:7331 169.254.7.1:55076 10: ESTAB 0 0 169.254.0.1:11002 169.254.7.1:60527 11: ESTAB 0 0 169.254.6.1:57477 169.254.7.1:7331 12: ESTAB 0 0 169.254.0.1:shell 169.254.7.1:54370 13: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45812 14: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45813 15: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45810 16: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45811 17: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45808 18: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45816 19: ESTAB 0 0 169.254.0.1:4565 169.254.7.1:45806 20: [root@redhat ~]#
多个子表达式之间可以组合,当然跟tcpdump一样,可以用or and not来组合。但括号要用转义符号表示。
如:
[root@redhat ~]# ss -o state fin-wait-1 \( sport = :http or sport = :https \) dst 193.233.7/24
看看几个例子:
查看系统总体信息:
1: [root@redhat ~]# ss -s 2: Total: 160 (kernel 194) 3: TCP: 48 (estab 31, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 49 4: Transport Total IP IPv6 5: * 194 - - 6: RAW 0 0 0 7: UDP 5 5 0 8: TCP 48 48 0 9: INET 53 53 0 10: FRAG 0 0 0 11: 12: [root@redhat ~]#
想看当前机器的11001端口被谁占用了:
1: [root@redhat ~]#ss -lp src :110012: Recv-Q Send-Q Local Address:Port Peer Address:Port
3: 0 0 169.254.0.1:11001 *:* users:(("syslog-ng",21761,12))
4: [root@redhat ~]#
我们可以看到,是一个叫syslog-ng的进程,进程id是21761
原文:http://www.cnblogs.com/txw1958/archive/2012/07/26/linux-ss.html