Linux网络状态工具ss命令详解

ss命令用于显示套接字状态。它可以显示PACKET套接字、TCP套接字、UDP套接字、DCCP套接字、RAW套接字、Unix域套接字等统计信息。它比其他工具显示更多的TCP和状态信息。它是一个非常实用的新工具，可以快速高效地跟踪IP连接和套接字。SS命令可以提供以下信息：所有TCP套接字所有UDP套接字所有ssh/ftp/ttp/https持久连接所有使用状态连接到Xserver的本地进程（例如：连接、同步、SYN-RECV、SYN-SENT、TIME-WAIT),地址,端口过滤所有状态FIN-WAIT-1tcpsocket连接和许多更流行的Linux发行版都支持ss并且许多监控工具使用ss命令。熟悉该工具将有助于您更好地发现和解决系统性能问题。我强烈推荐使用ss命令来代替一些netstat命令，比如netsat-ant/lnt等。在展示他之前，我们先来比较一下服务器并发连接数eal0m12.960suser0m0.334ssys0m12.561s#timess-ostateestablished|wc-l3204real0m0.030suser0m0.005ssys0m0.026snetstat#timenetstat-ant|grepEST|wc-l3100r结果很明显ss在并发连接数上比netstat效率更高。接下来，你还选择netstat吗？你还在犹豫？看下面的例子，或者跳转到帮助页面。常用ss命令：ss-l显示本地打开的所有端口ss-pl显示每个进程专门打开的socketss-t-a显示所有tcpsocketsss-u-a显示所有UDPSocektss-ostateestablished'(dport=:smtporsport=:smtp)'显示所有已建立的SMTP连接ss-ostateestablished'(dport=:httporsport=:http)'显示所有已建立的HTTP连接ss-xsrc/tmp/.X11-unix/*FindoutalltheprocessesconnectedtotheXserverss-sListthecurrentsocketdetails:显示套接字的简要信息，列出当前连接、关闭、等待的tcp连接#ss-sTotal:3519(kernel3691)TCP:26557(estab3163,closed23182,orphaned194,synrecv0,timewait23182/0),ports1452TransportTotalIPIPv6*3691--RAW220UDP1073TCP337533687INET3387337710FRAG000列出当前监听端口#ss-lRecv-QSend-QLocalAddress:PortPeerAddress:Port010:::5989:::*05*:rsync*:*0128:::sunrpc:::*0128*:sunrpc*:*0511*2:http*:*0128:::ssh:::*0128*:ssh*:*0128:::35766:::*0128127.0.0.1:ipp*:*0128::1:ipp:::*0100::1:smtp::*0100127.0.0.1:smtp*:*0511*:https*:*0100:::1311:::*05*:5666*:*0128*:3044*:*ss列出每个进程名称及其侦听端口#ss-plss列出所有tcp套接字#ss-t-ass列出所有udp套接字#ss-u-ass列出所有的http连接#ss-ostateestablished'(dport=:httporsport=:http)'上面包括对外提供的80个，对外访问的80个。使用以上命令可以完美替代netstat获取http并发连接数，监控常用，ss列出本地有哪些进程连接到x服务器#ss-xsrc/tmp/.X11-unix/*ss列出http和httpsconnectionsinFIN-WAIT-1state#ss-ostatefin-wait-1'(sport=:http或sport=:https)'s常用状态state:establishedsyn-sentsyn-recvfin-wait-1fin-wait-2time-waitclosedclose-waitlast-acklistenclosingall:Alloftheabovestatesconnected:Allthestatesexceptforlistenandclosedsynchronized:Alltheconnectedstatesexceptforsyn-sentbucket:Showstates,whicharemaintainedasminisockets,i.e.time-waitandsyn-recv.big:Oppositetobucketstate.ss使用IP地址筛选sssrcADDRESS_PATTERNsrc：表示来源ADDRESS_PATTERN：表示地址规则如下：sssrc120.33.31.1#列来自20.33.31.1的连接#　列出连接到120.33.31.1，端口80sssrc120.33.31.1:httpsssrc120.33.31.1:8ss使用端口过滤ssdportOPPORTOP:yesoperatorPORT:表示端口dport:表示过滤目标端口，相反，还有如下sportOP操作符：<=orle：小于等于>=orge：大于等于==oreq：等于!=orne：不等于端口orgt:大于端口OP实例sssport=:http也可以是sssport=:80ssdport=:httpssdport\>:1024sssport\>:1024sssport\<:32000sssporteq:22ssdport!=:22ssstateconnectedsport=:httpss\(sport=:httporsport=:https\)ss-ostatefin-wait-1\(sport=:httporsport=:https\)dst192.168.1/24为什么ss比netstat快：netstat遍历/proc下的各个PID目录，ss直接读取/proc/net下的统计信息。所以ss在执行ss命令时比netstat消耗的资源和时间要少得多help#ss-hUsage:ss[OPTIONS]ss[OPTIONS][FILTER]-h,--helpthismessage-V,--versionoutputversioninformation-n,--numericdon'tresolveservicenames-r,--resolveresolvehostnames-a,--alldisplayallsockets-l,--listeningdisplaylisteningsockets-o,--optionsshowtimerinformation-e,--extendedshowdetailedsocketinformation-m,--memoryshowsocketmemoryusage-p,--processesshowprocessusingsocket-i,--infoshowinternalTCPinformation-s,--summaryshowsocketusagesummary-4,--ipv4displayonlyIPversion4sockets-6,--ipv6displayonlyIPversion6sockets-0,--packetdisplayPACKETsockets-t,--tcpdisplayonlyTCPsockets-u,--udpdisplayonlyUDPsockets-d,--dccpdisplayonlyDCCPsockets-w,--rawdisplayonlyRAWsockets-x,--unixdisplayonlyUnixdomainsockets-f,--family=FAMILYdisplaysocketsoftypeFAMILY-A,--query=查询,--socket=QUERYQUERY:={all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]-D,--diag=FILEDumprawinformationaboutTCPsocketstoFILE-F,--filter=FILEreadfilterinformationfromFILEFILTER:=[stateTCP-STATE][EXPRESSION]