Viewing network socket data is something SysAdmins do often. We could be called on to see if a connection is established to a host, if an application is listening on a given port, or we may need to review the network connection table as a whole to see what a server is doing (this is especially valuable when DDOS attacks occur). The netstat and lsof tools provide quite a bit of visibility into this area, but I’ve recently started firing up the ss (socket stat) tool when I need to view socket information. Socket stat can display pretty much everything you ever wanted to know about the connections on your server. To get a basic breakdown of ports that applications are listening on, you can run ss with the “-l” option:
$ ss -l
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 128 :::ssh :::*
0 128 *:ssh *:*
0 128 127.0.0.1:ipp *:*
0 128 ::1:ipp :::*
To view the processes that are using each listening socket, you can run ss with the “-p” option:
$ ss -p
State Recv-Q Send-Q Local Address:Port Peer Address:Port
CLOSE-WAIT 1 0 192.168.1.1:57666 192.168.1.2:http users:(("gvfsd-http",16992,14))
To display the amount of memory being consumed by the socket buffers, you can use the ss “-m” option (this is quite handy!):
$ ss -e -m
State Recv-Q Send-Q Local Address:Port Peer Address:Port
CLOSE-WAIT 1 0 192.168.1.1:57666 192.168.1.2:http uid:500 ino:40834026 sk:ffff88022d3b2080
mem:(r360,w0,f3736,t0)
Additionally, you can use the ss “-s” option to summarize all of the socket states:
$ ss -s
Total: 571 (kernel 589)
TCP: 17 (estab 10, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0
Transport Total IP IPv6
589 - -
RAW 0 0 0
UDP 10 6 4
TCP 17 14 3
INET 27 20 7
FRAG 0 0 0
There are also options to display information about specific socket types (UNIX domain, UDP, TCP, etc), and to dig deep into the connection table information (see the “-i” option for further details). If you have a current release of CentOS, RHEL or Fedora, this awesome tool should be on your system. It’s part of the iproute package.