Lines Matching refs:tt
6 <author>Alexey Kuznetsov, <tt/kuznet@ms2.inr.ac.ru/
9 <tt/ss/ is one another utility to investigate sockets.
10 Functionally it is NOT better than <tt/netstat/ combined
20 <p> <tt>/proc</tt> interface is inadequate, unfortunately.
21 When amount of sockets is enough large, <tt/netstat/ or even
22 plain <tt>cat /proc/net/tcp/</tt> cause nothing but pains and curses.
24 of sockets is small reading <tt>/proc/net/tcp/</tt> is slow enough.
30 to load module <tt/tcp_diag/, which can be found in directory
31 <tt/Modules/ of <tt/iproute2/. If you do not make this <tt/ss/
32 will work, but it falls back to <tt>/proc</tt> and becomes slow
33 like <tt/netstat/, well, a bit faster yet (see section "Some numbers").
38 In the simplest form <tt/ss/ is equivalent to netstat
42 <item><tt/ss -t -a/ dumps all TCP sockets
43 <item><tt/ss -u -a/ dumps all UDP sockets
44 <item><tt/ss -w -a/ dumps all RAW sockets
45 <item><tt/ss -x -a/ dumps all UNIX sockets
49 Option <tt/-o/ shows TCP timers state.
50 Option <tt/-e/ shows some extended information.
61 The first: without option <tt/-a/ sockets in states
62 <tt/TIME-WAIT/ and <tt/SYN-RECV/ are skipped too.
75 The next: by default it does not resolve numeric host addresses (like <tt/ip/)!
76 Resolving is enabled with option <tt/-r/. Service names, usually stored
78 does not contain references to a port, <tt/ss/ queries system
79 <tt/rpcbind/. RPC services are prefixed with <tt/rpc./
80 Resolution of services may be suppressed with option <tt/-n/.
85 option <tt/-f/ to be algined to iproute2 conventions.
88 to sockets supporting only given family. Option <tt/-A/ followed
92 <tt/all/, <tt/tcp/, <tt/udp/,
93 <tt/raw/, <tt/inet/, <tt/unix/, <tt/packet/, <tt/netlink/. See?
94 Well, <tt/inet/ is just abbreviation for <tt/tcp|udp|raw/
95 and it is not difficult to guess that <tt/packet/ allows
97 f.e. <tt/unix_dgram/ selects only datagram UNIX sockets.
112 <tt/ss/ allows to filter socket states, using keywords
113 <tt/state/ and <tt/exclude/, followed by some state
122 <item><tt/all/ - for all the states
123 <item><tt/bucket/ - for TCP minisockets (<tt/TIME-WAIT|SYN-RECV/)
124 <item><tt/big/ - all except for minisockets
125 <item><tt/connected/ - not closed and not listening
126 <item><tt/synchronized/ - connected and not <tt/SYN-SENT/
130 F.e. to dump all tcp sockets except <tt/SYN-RECV/:
137 If neither <tt/state/ nor <tt/exclude/ directives
139 state filter defaults to <tt/all/ with option <tt/-a/
140 or to <tt/all/,
148 <tt/or/, <tt/and/, <tt/not/ and predicates.
150 <tt/&/, <tt/&&/, <tt/|/, <tt/||/, <tt/!/, but do not forget
169 Both prefix and port may be absent or replaced with <tt/*/,
173 from context (with option <tt/-x/ or with <tt/-f unix/
174 or with <tt/unix/ keyword)
206 Another way is <tt/dst ::1/128/. / helps to understand that
210 Now we can add another alias for <tt/dst 10.0.0.1/:
211 <tt/dst [10.0.0.1]/. :-)
214 up (in all the address families, if it is not limited by option <tt/-f/
215 or special address prefix <tt/inet:/, <tt/inet6/) and resulting
216 expression is <tt/or/ over all of them.
226 All the relations: <tt/</, <tt/>/, <tt/=/, <tt/>=/, <tt/=/, <tt/==/,
227 <tt/!=/, <tt/eq/, <tt/ge/, <tt/lt/, <tt/ne/...
233 incomparison, except for <tt/==/ and <tt/!=/, which are equivalent
236 <tt/dst 10.0.0.1:22/
237 is equivalent to <tt/dport eq 10.0.0.1:22/
239 <tt/not dst 10.0.0.1:22/ is equivalent to
240 <tt/dport neq 10.0.0.1:22/
242 <item>C. Keyword <tt/autobound/. It matches to sockets bound automatically
252 <item>1. List all the tcp sockets in state <tt/FIN-WAIT-1/ for our apache
261 equivalent to <tt/and/.
307 <p> General format of arguments to <tt/ss/ is:
313 <sect2><tt/OPTIONS/
314 <p> <tt/OPTIONS/ is list of single letter options, using common unix
318 <item><tt/-h/ - show help page
319 <item><tt/-?/ - the same, of course
320 <item><tt/-v/, <tt/-V/ - print version of <tt/ss/ and exit
321 <item><tt/-s/ - print summary statistics. This option does not parse
323 when amount of sockets is so huge that parsing <tt>/proc/net/tcp</tt>
325 <item><tt/-D FILE/ - do not display anything, just dump raw information
326 about TCP sockets to <tt/FILE/ after applying filters. If <tt/FILE/ is <tt/-/
327 <tt/stdout/ is used.
328 <item><tt/-F FILE/ - read continuation of filter from <tt/FILE/.
329 Each line of <tt/FILE/ is interpreted like single command line option.
330 If <tt/FILE/ is <tt/-/ <tt/stdin/ is used.
331 <item><tt/-r/ - try to resolve numeric address/ports
332 <item><tt/-n/ - do not try to resolve ports
333 <item><tt/-o/ - show some optional information, f.e. TCP timers
334 <item><tt/-i/ - show some infomration specific to TCP (RTO, congestion
336 <item><tt/-e/ - show even more optional information
337 <item><tt/-m/ - show extended information on memory used by the socket.
338 It is available only with <tt/tcp_diag/ enabled.
339 <item><tt/-p/ - show list of processes owning the socket
340 <item><tt/-f FAMILY/ - default address family used for parsing addresses.
343 are supported: <tt/unix/, <tt/inet/, <tt/inet6/, <tt/link/,
344 <tt/netlink/.
345 <item><tt/-4/ - alias for <tt/-f inet/
346 <item><tt/-6/ - alias for <tt/-f inet6/
347 <item><tt/-0/ - alias for <tt/-f link/
348 <item><tt/-A LIST-OF-TABLES/ - list of socket tables to dump, separated
350 <tt/all/, <tt/inet/, <tt/tcp/, <tt/udp/, <tt/raw/,
351 <tt/unix/, <tt/packet/, <tt/netlink/, <tt/unix_dgram/,
352 <tt/unix_stream/, <tt/packet_raw/, <tt/packet_dgram/.
353 <item><tt/-x/ - alias for <tt/-A unix/
354 <item><tt/-t/ - alias for <tt/-A tcp/
355 <item><tt/-u/ - alias for <tt/-A udp/
356 <item><tt/-w/ - alias for <tt/-A raw/
357 <item><tt/-a/ - show sockets of all the states. By default sockets
358 in states <tt/LISTEN/, <tt/TIME-WAIT/, <tt/SYN_RECV/
359 and <tt/CLOSE/ are skipped.
360 <item><tt/-l/ - show only sockets in state <tt/LISTEN/
363 <sect2><tt/STATE-FILTER/
365 <p><tt/STATE-FILTER/ allows to construct arbitrary set of
366 states to match. Its syntax is sequence of keywords <tt/state/
367 and <tt/exclude/ followed by identifier of state.
372 <item> All standard TCP states: <tt/established/, <tt/syn-sent/,
373 <tt/syn-recv/, <tt/fin-wait-1/, <tt/fin-wait-2/, <tt/time-wait/,
374 <tt/closed/, <tt/close-wait/, <tt/last-ack/, <tt/listen/ and <tt/closing/.
376 <item><tt/all/ - for all the states
377 <item><tt/connected/ - all the states except for <tt/listen/ and <tt/closed/
378 <item><tt/synchronized/ - all the <tt/connected/ states except for
379 <tt/syn-sent/
380 <item><tt/bucket/ - states, which are maintained as minisockets, i.e.
381 <tt/time-wait/ and <tt/syn-recv/.
382 <item><tt/big/ - opposite to <tt/bucket/
385 <sect2><tt/ADDRESS_FILTER/
387 <p><tt/ADDRESS_FILTER/ is boolean expression with operations <tt/and/, <tt/or/
388 and <tt/not/, which can be abbreviated in C style f.e. as <tt/&/,
389 <tt/&&/.
396 <item> <tt/dst ADDRESS_PATTERN/ - matches remote address and port
397 <item> <tt/src ADDRESS_PATTERN/ - matches local address and port
398 <item> <tt/dport RELOP PORT/ - compares remote port to a number
399 <item> <tt/sport RELOP PORT/ - compares local port to a number
400 <item> <tt/autobound/ - checks that socket is bound to an ephemeral
404 <p><tt/RELOP/ is some of <tt/<=/, <tt/>=/, <tt/==/ etc.
406 FORTRAN-like notations <tt/le/, <tt/gt/ etc. are accepted as well.
408 <p>The format and semantics of <tt/ADDRESS_PATTERN/ depends on address
412 <item><tt/inet/ - <tt/ADDRESS_PATTERN/ consists of IP prefix, optionally
414 with <tt/*/, this means wildcard match.
415 <item><tt/inet6/ - The same as <tt/inet/, only prefix refers to an IPv6
416 address. Unlike <tt/inet/ colon becomes ambiguous, so that <tt/ss/ allows
418 <tt/[/ ... <tt/]/.
419 <item><tt/unix/ - <tt/ADDRESS_PATTERN/ is shell-style wildcard.
420 <item><tt/packet/ - format looks like <tt/inet/, only interface index
422 <item><tt/netlink/ - format looks like <tt/inet/, only socket pid
426 <p><tt/PORT/ is syntactically <tt/ADDRESS_PATTERN/ with wildcard
432 <tt/ss/ allows to change source of information using various
437 <item> <tt/PROC_SLABINFO/ to override <tt>/proc/slabinfo</tt>
438 <item> <tt/PROC_NET_TCP/ to override <tt>/proc/net/tcp</tt>
439 <item> <tt/PROC_NET_UDP/ to override <tt>/proc/net/udp</tt>
444 Variable <tt/PROC_ROOT/ allows to change root of all the <tt>/proc/</tt>
448 Variable <tt/TCPDIAG_FILE/ prescribes to open a file instead of
453 when dumps of files usually found in <tt>/proc/</tt> are recevied
458 <p>Six columns. The first is <tt/Netid/, it denotes socket type and
459 transport protocol, when it is ambiguous: <tt/tcp/, <tt/udp/, <tt/raw/,
460 <tt/u_str/ is abbreviation for <tt/unix_stream/, <tt/u_dgr/ for UNIX
461 datagram sockets, <tt/nl/ for netlink, <tt/p_raw/ and <tt/p_dgr/ for
466 The second column is <tt/State/. Socket state is displayed here.
467 The names are standard TCP names, except for <tt/UNCONN/, which
472 Then two columns (<tt/Recv-Q/ and <tt/Send-Q/) showing amount of data
480 If options <tt/-o/, <tt/-e/ or <tt/-p/ were given, options are
482 <tt/option:value/. If value is not a single number, it is presented
483 as list of values, enclosed to <tt/(/ ... <tt/)/ and separated with
489 is typical format for TCP timer (option <tt/-o/).
494 is typical for list of users (option <tt/-p/).
500 Well, let us use <tt/pidentd/ and a tool <tt/ibench/ to measure
515 <item> <tt/netstat -at/ - 15.6 seconds
516 <item> <tt/ss -atr/, but without <tt/tcp_diag/ - 5.4 seconds
517 <item> <tt/ss -atr/ with <tt/tcp_diag/ - 0.47 seconds
521 without <tt/tcp_diag/ is wasted inside kernel with completely
522 blocked networking. More than 10 seconds, yes. <tt/tcp_diag/