Troubleshooting sockets with ss

Getting Specific

You can look at only TCP sockets with:

# ss -t

Alternatively, you could write out the --tcp option. Ramp up the level of detail with the -a (for "all") switch:

# ss -t -a

Altering that command ever-so slightly generates output to include UDP, Raw, and Unix sockets. For a verbose view of all UDP sockets, enter

# ss -u -a

and to view all Raw sockets, enter:

# ss -w -a

If you really must indulge yourself with several screen's worth of mind-boggling text, you can choose to view all Unix Domain sockets with:

# ss -x -a

Also included in the seemingly bottomless toolbox provided by the ss utility is the ability to watch out for DCCP sockets; DCCP is a less common network protocol that has the connection-oriented, error-checking traits of TCP with the broadcast-type features of UDP. The DCCP protocol is often used for media streaming. Check for DCCP traffic with this nifty little command:

# ss -d -a

You can also monitor the status of connections to your computer by extending the level of detail using the -e option (Listing 6).

Listing 6

ss -e

 

Listing 6 shows timer options that offer an insight into the current status of any keepalives on a connection. This feature can be useful for services such as HTTP or SSH, which tend to employ keepalives (see the box titled "Keepalive Notes"). Listing 7 shows similar output using the netstat -to command.

Keepalive Notes

A keepalive packet generally has a TCP ACK configured with a sequence number set to one less than the current number used on the connection. Any machine receiving a nudge from such a packet will simply respond with the correct sequence number and, Frankenstein jokes aside, announce that it is indeed alive.

These types of packets are sometimes empty and generally have three associated parameters. The retry parameter will declare how many times to send a packet before coming to the conclusion that the other end of the connection has given up the ghost. The time setting is configured as the frequency of the checks, and finally the interval dictates the length of time between two sent packets if no response is received.

Inside the kernel, you can alter these settings by editing these values in the eye-watering pseudo-filesystem known and loved as /proc. One file, in this case, is /proc/sys/net/ipv4/tcp_keepalive_time, and you can edit it as follows:

# echo 75 > /proc/sys/net/\
  ipv4/tcp_keepalive_intvl
# echo 9 > /proc/sys/net/\
  ipv4/tcp_keepalive_probes

Listing 7

netstat -to

 

Netstat also lets you prepend the versatile watch command and see real-time updates:

# watch netstat -to

It is a close call, but I have to admit that, in this instance, netstat keeps its output nice and succinct and looks as good as the ss utility's output.

Source and Destination

The following command lets you find information on any sockets with a destination (dst) aimed at a specific IP address:

# ss dst 192.168.0.1

Conversely, it's not going to take a massive leap to consider that using the src option reveals information on the source side of the socket:

# ss src 192.168.0.2

Handy, huh? This syntax is easy to remember if you're in a rush, saving the day when a testy boss is breathing down your neck during an outage.

You can even use CIDR network notations in the address callout:

# ss dst 192.168.0.1/24

Add a colon at the end, and you can check for a very specific port and a very wide IP address range at the same time:

# 192.168.0.1/24:53

I really appreciate this functionality in situations with lots of traffic and numerous open ports. For instance, this option lets you monitor all DNS-related activity on an entire /24 subnet with one simple ss command.

Regular Expressions

In addition to DNS names and IP addresses, you can also use regular expression (regex) operators in your ss syntax. Have a look at this little nugget:

# ss dport != :53

This command excludes the destination dport on the DNS port 53.

If you need to retain some sanity and avoid just looking at numbers, you can also translate ports into the /etc/services format:

# ss 192.168.0.1:http

If you're ready to be impressed, you can also include greater-than, lesser-than, less-than-or-equal-to, and so forth:

# ss dport > :53

Other special characters are possible also, although sometimes special characters need escaping. Alphabetic equivalents, such as eq (equal), ne (not equal), gt (greater than), and le (less than) also work. Your mileage might vary with different versions of the ss utility.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • User Monitoring

    Linux tracks all the actions that take place on your system, including when your users were active and what they did.

  • Command Line – Port Security

    A few basic commands for working with ports can help you make your small network or standalone system more secure.

  • Nmap Scripting

    Nmap is rolling out a new scripting engine to automatically investigate vulnerabilities that turn up in a security scan. We’ll show you how to protect your network with Nmap and NSE.

  • Command Line: Network Diagnostic Tools

    Linux has the right tools to track down network errors and open the way for data packets.

  • lsof

    In Linux, everything is a file – directories, devices, pipes – so lsof (list open files) reveals what's happening on your system.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News