Troubleshooting sockets with ss
Getting Specific
You can look at only TCP sockets with:
# ss -t
Alternatively, you could write out the --tcp
option. Ramp up the level of detail with the -a
(for "all") switch:
# ss -t -a
Altering that command ever-so slightly generates output to include UDP, Raw, and Unix sockets. For a verbose view of all UDP sockets, enter
# ss -u -a
and to view all Raw sockets, enter:
# ss -w -a
If you really must indulge yourself with several screen's worth of mind-boggling text, you can choose to view all Unix Domain sockets with:
# ss -x -a
Also included in the seemingly bottomless toolbox provided by the ss utility is the ability to watch out for DCCP sockets; DCCP is a less common network protocol that has the connection-oriented, error-checking traits of TCP with the broadcast-type features of UDP. The DCCP protocol is often used for media streaming. Check for DCCP traffic with this nifty little command:
# ss -d -a
You can also monitor the status of connections to your computer by extending the level of detail using the -e
option (Listing 6).
Listing 6
ss -e
Listing 6 shows timer options that offer an insight into the current status of any keepalives on a connection. This feature can be useful for services such as HTTP or SSH, which tend to employ keepalives (see the box titled "Keepalive Notes"). Listing 7 shows similar output using the netstat -to
command.
Keepalive Notes
A keepalive packet generally has a TCP ACK configured with a sequence number set to one less than the current number used on the connection. Any machine receiving a nudge from such a packet will simply respond with the correct sequence number and, Frankenstein jokes aside, announce that it is indeed alive.
These types of packets are sometimes empty and generally have three associated parameters. The retry
parameter will declare how many times to send a packet before coming to the conclusion that the other end of the connection has given up the ghost. The time
setting is configured as the frequency of the checks, and finally the interval
dictates the length of time between two sent packets if no response is received.
Inside the kernel, you can alter these settings by editing these values in the eye-watering pseudo-filesystem known and loved as /proc
. One file, in this case, is /proc/sys/net/ipv4/tcp_keepalive_time
, and you can edit it as follows:
# echo 75 > /proc/sys/net/\ ipv4/tcp_keepalive_intvl # echo 9 > /proc/sys/net/\ ipv4/tcp_keepalive_probes
Listing 7
netstat -to
Netstat also lets you prepend the versatile watch
command and see real-time updates:
# watch netstat -to
It is a close call, but I have to admit that, in this instance, netstat keeps its output nice and succinct and looks as good as the ss utility's output.
Source and Destination
The following command lets you find information on any sockets with a destination (dst
) aimed at a specific IP address:
# ss dst 192.168.0.1
Conversely, it's not going to take a massive leap to consider that using the src
option reveals information on the source side of the socket:
# ss src 192.168.0.2
Handy, huh? This syntax is easy to remember if you're in a rush, saving the day when a testy boss is breathing down your neck during an outage.
You can even use CIDR network notations in the address callout:
# ss dst 192.168.0.1/24
Add a colon at the end, and you can check for a very specific port and a very wide IP address range at the same time:
# 192.168.0.1/24:53
I really appreciate this functionality in situations with lots of traffic and numerous open ports. For instance, this option lets you monitor all DNS-related activity on an entire /24 subnet with one simple ss command.
Regular Expressions
In addition to DNS names and IP addresses, you can also use regular expression (regex) operators in your ss syntax. Have a look at this little nugget:
# ss dport != :53
This command excludes the destination dport
on the DNS port 53
.
If you need to retain some sanity and avoid just looking at numbers, you can also translate ports into the /etc/services
format:
# ss 192.168.0.1:http
If you're ready to be impressed, you can also include greater-than, lesser-than, less-than-or-equal-to, and so forth:
# ss dport > :53
Other special characters are possible also, although sometimes special characters need escaping. Alphabetic equivalents, such as eq
(equal), ne
(not equal), gt
(greater than), and le
(less than) also work. Your mileage might vary with different versions of the ss utility.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.
-
CachyOS Adds Support for System76's COSMIC Desktop
The August 2024 release of CachyOS includes support for the COSMIC desktop as well as some important bits for video.
-
Linux Foundation Adopts OMI to Foster Ethical LLMs
The Open Model Initiative hopes to create community LLMs that rival proprietary models but avoid restrictive licensing that limits usage.
-
Ubuntu 24.10 to Include the Latest Linux Kernel
Ubuntu users have grown accustomed to their favorite distribution shipping with a kernel that's not quite as up-to-date as other distros but that changes with 24.10.
-
Plasma Desktop 6.1.4 Release Includes Improvements and Bug Fixes
The latest release from the KDE team improves the KWin window and composite managers and plenty of fixes.
-
Manjaro Team Tests Immutable Version of its Arch-Based Distribution
If you're a fan of immutable operating systems, you'll be thrilled to know that the Manjaro team is working on an immutable spin that is now available for testing.