命令作用
ss命令用于显示socket状态. 他可以显示PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets等等统计. 它比其他工具展示等多tcp和state信息. 它是一个非常实用、快速、有效的跟踪IP连接和sockets的新工具.SS命令可以提供如下信息:
- 所有的TCP sockets
- 所有的UDP sockets
- 所有ssh/ftp/ttp/https持久连接
- 所有连接到Xserver的本地进程
- 使用state(例如:connected, synchronized, SYN-RECV, SYN-SENT,TIME-WAIT)、地址、端口过滤
- 所有的state FIN-WAIT-1 tcpsocket连接以及更多
快..快快......快男!
当服务器的socket连接数量变得非常大时,无论是使用netstat命令还是直接cat /proc/net/tcp,执行速度都会很慢。可能你不会有切身的感受,但请相信我,当服务器维持的连接达到上万个的时候,使用netstat等于浪费 生命,而用ss才是节省时间。
ss之所以快,它利用到了TCP协议栈中tcp_diag。tcp_diag是一个用于分析统计的模块,可以获得Linux 内核中第一手的信息,这就确保了ss的快捷高效。当然,如果你的系统中没有tcp_diag,ss也可以正常运行,只是效率会变得稍慢。
比较ss和netstat的效率:
[root@node1 ~]# time netstat -tan|grep -i estab |wc -l 127 real 0m0.600s user 0m0.048s sys 0m0.312s [root@node1 ~]# time ss -tan|grep -i estab |wc -l 126 real 0m0.028s user 0m0.001s sys 0m0.007s
从结果可以看出ss比netstat效率快了一个数量级。
ss 常用的参数
-h:显示帮助信息; -V:显示指令版本信息; -n:不解析服务名称,以数字方式显示; -a:显示所有的套接字; -l:显示处于监听状态的套接字; -o:显示计时器信息; -m:显示套接字的内存使用情况; -p:显示使用套接字的进程信息; -i:显示内部的TCP信息; -4:只显示ipv4的套接字; -6:只显示ipv6的套接字; -t:只显示tcp套接字; -u:只显示udp套接字; -d:只显示DCCP套接字; -w:仅显示RAW套接字; -x:仅显示UNIX域套接字。
-A, --query=QUERY, --socket=QUERY QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY] -D, --diag=FILE #将关于TCP套接字的原始信息转储到文件中 -F, --filter=FILE #使用此参数指定的过滤规则文件,过滤某种状态的连接 FILTER := [ state TCP-STATE ] [ EXPRESSION ]
-s选项:显示socket概要信息
列出当前的established, closed, orphaned and time-wait TCP sockets
[root@node1 ~]# ss -s Total: 759 (kernel 1071) TCP: 174 (estab 87, closed 31, orphaned 0, synrecv 0, timewait 29/0), ports 0 Transport Total IP IPv6 * 1071 - - RAW 1 0 1 UDP 10 6 4 TCP 143 108 35 INET 154 114 40 FRAG 0 0 0
查看所有监听状态的连接
[root@node1 ~]# ss -l Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 10.0.0.61:fs-agent *:* tcp LISTEN 0 50 *:7180 *:* tcp LISTEN 0 128 10.0.0.61:1004 *:* tcp LISTEN 0 128 *:50060 *:* tcp LISTEN 0 50 *:bmcpatrolagent *:* tcp LISTEN 0 128 127.0.0.1:45677 *:* tcp LISTEN 0 50 *:7182 *:* tcp LISTEN 0 50 10.0.0.61:1006 *:* tcp LISTEN 0 128 *:50030 *:* tcp LISTEN 0 128 *:sunrpc *:* tcp LISTEN 0 50 *:ndmp *:* tcp LISTEN 0 128 10.0.0.61:19888 *:* tcp LISTEN 0 128 10.0.0.61:10033 *:* tcp LISTEN 0 5 *:vop *:* tcp LISTEN 0 128 10.0.0.61:oa-system *:* tcp LISTEN 0 128 10.0.0.61:50070 *:* tcp LISTEN 0 5 127.0.0.1:7190 *:* tcp LISTEN 0 128 *:ssh *:* tcp LISTEN 0 5 *:7191 *:* tcp LISTEN 0 100 *:irisa *:* tcp LISTEN 0 128 10.0.0.61:radan-http *:* tcp LISTEN 0 1 127.0.0.1:metasys *:* tcp LISTEN 0 50 *:44697 *:* tcp LISTEN 0 128 127.0.0.1:19001 *:* tcp LISTEN 0 100 127.0.0.1:smtp *:* tcp LISTEN 0 128 *:13562 *:* tcp LISTEN 0 50 *:emc-pp-mgmtsvc *:* tcp LISTEN 0 80 :::mysql :::* tcp LISTEN 0 128 :::sunrpc :::* tcp LISTEN 0 128 :::http :::* tcp LISTEN 0 5 :::4434 :::* tcp LISTEN 0 128 :::ssh :::* tcp LISTEN 0 5 :::7191 :::* tcp LISTEN 0 100 ::1:smtp :::* tcp LISTEN 0 128 :::https :::*
查看进程使用的套接字
[root@node1 ~]# ss -pl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 10.0.0.61:fs-agent *:* users:(("java",pid=3544,fd=216))
tcp LISTEN 0 50 *:7180 *:* users:(("java",pid=1182,fd=261))
tcp LISTEN 0 128 10.0.0.61:1004 *:* users:(("jsvc",pid=4435,fd=166))
tcp LISTEN 0 128 *:50060 *:* users:(("java",pid=2580,fd=157))
tcp LISTEN 0 50 *:bmcpatrolagent *:* users:(("java",pid=2620,fd=37))
tcp LISTEN 0 128 127.0.0.1:45677 *:* users:(("java",pid=2580,fd=147))
tcp LISTEN 0 50 *:7182 *:* users:(("java",pid=1182,fd=247))
tcp LISTEN 0 50 10.0.0.61:1006 *:* users:(("jsvc",pid=4435,fd=168))
tcp LISTEN 0 128 *:50030 *:* users:(("java",pid=3050,fd=154))
tcp LISTEN 0 128 *:sunrpc *:* users:(("rpcbind",pid=535,fd=4),("systemd",pid=1,fd=36))
tcp LISTEN 0 50 *:ndmp *:* users:(("java",pid=2451,fd=378))
tcp LISTEN 0 128 10.0.0.61:19888 *:* users:(("java",pid=3546,fd=191))
tcp LISTEN 0 128 10.0.0.61:10033 *:* users:(("java",pid=3546,fd=180))
tcp LISTEN 0 5 *:vop *:* users:(("python2.7",pid=1772,fd=8))
tcp LISTEN 0 50 *:documentum *:* users:(("java",pid=2451,fd=379))
tcp LISTEN 0 50 *:sdr *:* users:(("java",pid=2620,fd=23))
tcp LISTEN 0 128 10.0.0.61:qbdb *:* users:(("java",pid=3031,fd=180))
tcp LISTEN 0 128 10.0.0.61:intu-ec-svcdisc *:* users:(("java",pid=3075,fd=206))
tcp LISTEN 0 128 10.0.0.61:intu-ec-client *:* users:(("java",pid=3050,fd=143))
tcp LISTEN 0 50 *:macbak *:* users:(("java",pid=2620,fd=35))
tcp LISTEN 0 50 *:ezmeeting-2 *:* users:(("java",pid=2643,fd=233))
tcp LISTEN 0 128 10.0.0.61:oa-system *:* users:(("java",pid=3075,fd=183))
tcp LISTEN 0 128 10.0.0.61:50070 *:* users:(("java",pid=3075,fd=177))
tcp LISTEN 0 5 127.0.0.1:7190 *:* users:(("python2.7",pid=1772,fd=14))
tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=773,fd=3))
tcp LISTEN 0 5 *:7191 *:* users:(("python2.7",pid=1772,fd=7))
tcp LISTEN 0 100 *:irisa *:* users:(("java",pid=2435,fd=265))
tcp LISTEN 0 128 10.0.0.61:radan-http *:* users:(("java",pid=3440,fd=177))
tcp LISTEN 0 1 127.0.0.1:metasys *:* users:(("java",pid=2435,fd=279))
tcp LISTEN 0 50 *:44697 *:* users:(("java",pid=2620,fd=24))
tcp LISTEN 0 128 127.0.0.1:19001 *:* users:(("python",pid=1557,fd=4))
tcp LISTEN 0 100 127.0.0.1:smtp *:* users:(("master",pid=1225,fd=13))
tcp LISTEN 0 128 *:13562 *:* users:(("java",pid=3544,fd=215))
tcp LISTEN 0 50 *:emc-pp-mgmtsvc *:* users:(("java",pid=2444,fd=378))
tcp LISTEN 0 80 :::mysql :::* users:(("mysqld",pid=1181,fd=63))
tcp LISTEN 0 128 :::sunrpc :::*
列出所有ssh连接中state为estab的连接
[root@node1 ~]# ss -o state established '( sport = :22 )' Netid Recv-Q Send-Q Local Address:Port Peer Address:Port tcp 0 0 10.0.0.61:ssh 10.0.0.1:park-agent timer:(keepalive,2min28sec,0) [root@node1 ~]# ss -o state established '( sport = :ssh )' Netid Recv-Q Send-Q Local Address:Port Peer Address:Port tcp 0 0 10.0.0.61:ssh 10.0.0.1:park-agent timer:(keepalive,1min57sec,0)
列出所有http的连接
[root@node1 ~]# ss -o state established '( sport = :http or dport = :http )'
ss列出本地哪个进程连接到x server
[root@node1 ~]# ss -x src /tmp/.X11-unix/*
ss列出处在FIN-WAIT-1状态的http、https连接
[root@node1 ~]# ss -o state fin-wait-1 '( sport = :http or sport = :https )'
ss常用的state状态:
established syn-sent syn-recv fin-wait-1 fin-wait-2 time-wait closed close-wait last-ack listen closing all : All of the above states connected: all the states except for listen and closed synchronized - all the connected states except for syn-sent bucket - states, which are maintained as minisockets, i.e. time-wait and syn-recv big - opposite to bucket
ss使用IP地址进行筛选
ss src ADDRESS_PATTERN:proto/port src 表示源地址 dst 表示目标地址 ADDRESS_PATTERN 表示地址规则(可以是一个地址段) proto/port 为协议或者端口 示例: 1、列出所有源地址为10.0.0.61的连接 [root@node1 ~]# ss src 10.0.0.61 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp ESTAB 0 0 10.0.0.61:51808 10.0.0.62:kerberos tcp ESTAB 0 0 10.0.0.61:55082 10.0.0.61:mysql tcp FIN-WAIT-2 0 0 10.0.0.61:44396 10.0.0.61:eforward tcp ESTAB 0 0 10.0.0.61:54070 10.0.0.61:mysql tcp ESTAB 0 0 10.0.0.61:51742 10.0.0.61:7182 2、列出所有源地址是10.0.0.61的mysql连接 [root@node1 ~]# ss src 10.0.0.61:mysql Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54066 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:55154 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54926 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54068 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:42944 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:44244 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54150 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54920 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:55408 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54924 3、列出所有目标地址是10.0.0.61的mysql连接 [root@node1 ~]# ss dst 10.0.0.61:3306 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 10.0.0.61:55082 10.0.0.61:mysql tcp ESTAB 0 0 10.0.0.61:54070 10.0.0.61:mysql tcp ESTAB 0 0 10.0.0.61:54922 10.0.0.61:mysql tcp ESTAB 0 0 10.0.0.61:55152 10.0.0.61:mysql tcp ESTAB 0 0 10.0.0.61:54928 10.0.0.61:mysql tcp ESTAB 0 0 10.0.0.61:39996 10.0.0.61:mysql
筛选端口
ss dport/sport OP PORT OP:运算符 PORT:端口 dport/sport: 过滤的目标/源端口 运算符有: <= or le: 小于等于 >= or ge: 大于等于 == or eq: 等于 != : 不等于 < or lt: 小于 > or gt: 大于 示例: [root@node1 ~]# ss sport = :mysql Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54066 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:55154 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54926 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54068 [root@node1 ~]# ss sport = :3306 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54066 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:55154 [root@node1 ~]# ss dport > :1024 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_str ESTAB 0 0 * 16252 * 16253 u_str ESTAB 0 0 * 35028 * 35027 u_str ESTAB 0 0 * 16791 * 16813 u_str ESTAB 0 0 * 297984 * 299009 [root@node1 ~]# ss sport > :20000 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_str ESTAB 0 0 * 35028 * 35027 u_str ESTAB 0 0 * 297984 * 299009 u_str ESTAB 0 0 * 41350 * 0 u_str ESTAB 0 0 * 23010 * 23009 u_str ESTAB 0 0 * 38302 * 0 u_str ESTAB 0 0 * 37222 * 0 [root@node1 ~]# ss ( sport = :mysql or sport = :ssh ) Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 10.0.0.61:ssh 10.0.0.1:5449 tcp ESTAB 0 0 10.0.0.61:ssh 10.0.0.1:6034 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54066 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:55154 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54926 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54068 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:50806 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:42944 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:44244 [root@node1 ~]# ss state connected sport = :mysql Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54066 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:55154 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54926 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54068 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:50806 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:42944 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:44244 tcp ESTAB 0 0 ::ffff:10.0.0.61:mysql ::ffff:10.0.0.61:54150 [root@node1 ~]# ss -o state fin-wait-1 ( dport = :mysql or sport = :ssh ) 或者用单引号的形式 [root@node1 ~]# ss -o state fin-wait-1 '( dport = :mysql or sport = :ssh )'
显示连接 X server服务器的进程
[root@node1 ~]# ss -x src /tmp/.X11-unix/*