SS comand

Introduction

• ss is one another utility to investigate sockets
• The third: default is to dump only TCP sockets, rather than all of the types

2 Basic Usage

• ss -t : -a dumps all TCP sockets
• ss -u : -a dumps all UDP sockets
• ss -w : -a dumps all RAW sockets
• ss -x : -a dumps all UNIX sockets

3 State Fileter

ss state bucket

State       Recv-Q Send-Q                               Local Address:Port                                   Peer Address:Port

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48207

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48211

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48209

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48215

TIME-WAIT   0      0                                 ::ffff:127.0.0.1:https                              ::ffff:127.0.0.1:48208

More detail

• All standard TCP states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait,last-ack, listen and closing.
• all - for all the states
• connected - all the states except for listen and closed
• synchronized - all the connected states except for syn-sent
• bucket - states, which are maintained as minisockets, i.e. time-wait and syn-recv.
• big - opposite to bucket

From: PIC LInk , tcp-timewait

4 Addreess filter

 ss   -a  dst 192.168.168.0/24

State       Recv-Q Send-Q    Local Address:Port        Peer Address:Port

ESTAB       0      0         ::ffff:127.0.0.1:ssh    ::ffff:192.168.168.140:63563

ESTAB       0      52        ::ffff:127.0.0.1:ssh    ::ffff:192.168.168.140:52859

More detail

• dst ADDRESS_PATTERN - matches remote address and port
• src ADDRESS_PATTERN - matches local address and port
• dport RELOP PORT - compares remote port to a number
• sport RELOP PORT - compares local port to a number

5  Name address

 ss -ar   dst 192.168.168.0/24

ate       Recv-Q Send-Q                               Local Address:Port                                   Peer Address:Port

ESTAB       0      0                            localhost.localdomain:ssh                          who:63563

ESTAB       0      52                           localhost.localdomain:ssh                            who:52859

6.  Process -p

ss  -p  -a  dst 192.168.168.0/24

State       Recv-Q Send-Q    Local Address:Port       Peer Address:Port

ESTAB       0      0      ::ffff:127.0.0.1:ssh      ::ffff:192.168.168.140:63563  users:(("sshd",4219,3))

ESTAB       0      52   ::ffff:127.0.0.1:ssh      ::ffff:192.168.168.140:52859    users:(("sshd",31086,3))

7. Look time -o

ate       Recv-Q Send-Q                               Local Address:Port                                   Peer Address:Port

ESTAB       0      0     ::ffff:127.0.0.1:ssh       ::ffff:IP:63563    timer:(keepalive,18min,0)

ESTAB       0      52      ::ffff:127.0.0.1:ssh    ::ffff:IP:52859    timer:(on,420ms,0)

8. Sumaary -s

Reference

Look ss linux-investigate-sockets-network-connections