Troubleshooting sockets with ss
Getting Specific
You can look at only TCP sockets with:
# ss -t
Alternatively, you could write out the --tcp
option. Ramp up the level of detail with the -a
(for "all") switch:
# ss -t -a
Altering that command ever-so slightly generates output to include UDP, Raw, and Unix sockets. For a verbose view of all UDP sockets, enter
# ss -u -a
and to view all Raw sockets, enter:
# ss -w -a
If you really must indulge yourself with several screen's worth of mind-boggling text, you can choose to view all Unix Domain sockets with:
# ss -x -a
Also included in the seemingly bottomless toolbox provided by the ss utility is the ability to watch out for DCCP sockets; DCCP is a less common network protocol that has the connection-oriented, error-checking traits of TCP with the broadcast-type features of UDP. The DCCP protocol is often used for media streaming. Check for DCCP traffic with this nifty little command:
# ss -d -a
You can also monitor the status of connections to your computer by extending the level of detail using the -e
option (Listing 6).
Listing 6
ss -e
Listing 6 shows timer options that offer an insight into the current status of any keepalives on a connection. This feature can be useful for services such as HTTP or SSH, which tend to employ keepalives (see the box titled "Keepalive Notes"). Listing 7 shows similar output using the netstat -to
command.
Keepalive Notes
A keepalive packet generally has a TCP ACK configured with a sequence number set to one less than the current number used on the connection. Any machine receiving a nudge from such a packet will simply respond with the correct sequence number and, Frankenstein jokes aside, announce that it is indeed alive.
These types of packets are sometimes empty and generally have three associated parameters. The retry
parameter will declare how many times to send a packet before coming to the conclusion that the other end of the connection has given up the ghost. The time
setting is configured as the frequency of the checks, and finally the interval
dictates the length of time between two sent packets if no response is received.
Inside the kernel, you can alter these settings by editing these values in the eye-watering pseudo-filesystem known and loved as /proc
. One file, in this case, is /proc/sys/net/ipv4/tcp_keepalive_time
, and you can edit it as follows:
# echo 75 > /proc/sys/net/\ ipv4/tcp_keepalive_intvl # echo 9 > /proc/sys/net/\ ipv4/tcp_keepalive_probes
Listing 7
netstat -to
Netstat also lets you prepend the versatile watch
command and see real-time updates:
# watch netstat -to
It is a close call, but I have to admit that, in this instance, netstat keeps its output nice and succinct and looks as good as the ss utility's output.
Source and Destination
The following command lets you find information on any sockets with a destination (dst
) aimed at a specific IP address:
# ss dst 192.168.0.1
Conversely, it's not going to take a massive leap to consider that using the src
option reveals information on the source side of the socket:
# ss src 192.168.0.2
Handy, huh? This syntax is easy to remember if you're in a rush, saving the day when a testy boss is breathing down your neck during an outage.
You can even use CIDR network notations in the address callout:
# ss dst 192.168.0.1/24
Add a colon at the end, and you can check for a very specific port and a very wide IP address range at the same time:
# 192.168.0.1/24:53
I really appreciate this functionality in situations with lots of traffic and numerous open ports. For instance, this option lets you monitor all DNS-related activity on an entire /24 subnet with one simple ss command.
Regular Expressions
In addition to DNS names and IP addresses, you can also use regular expression (regex) operators in your ss syntax. Have a look at this little nugget:
# ss dport != :53
This command excludes the destination dport
on the DNS port 53
.
If you need to retain some sanity and avoid just looking at numbers, you can also translate ports into the /etc/services
format:
# ss 192.168.0.1:http
If you're ready to be impressed, you can also include greater-than, lesser-than, less-than-or-equal-to, and so forth:
# ss dport > :53
Other special characters are possible also, although sometimes special characters need escaping. Alphabetic equivalents, such as eq
(equal), ne
(not equal), gt
(greater than), and le
(less than) also work. Your mileage might vary with different versions of the ss utility.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.