How to learn everything you ever wanted to know about Linux sockets

Viewing network socket data is something SysAdmins do often. We could be called on to see if a connection is established to a host, if an application is listening on a given port, or we may need to review the network connection table as a whole to see what a server is doing (this is especially valuable when DDOS attacks occur). The netstat and lsof tools provide quite a bit of visibility into this area, but I’ve recently started firing up the ss (socket stat) tool when I need to view socket information. Socket stat can display pretty much everything you ever wanted to know about the connections on your server. To get a basic breakdown of ports that applications are listening on, you can run ss with the “-l” option:

$ ss -l

Recv-Q Send-Q                         Local Address:Port                             Peer Address:Port   
0      128                                       :::ssh                                        :::*       
0      128                                        *:ssh                                         *:*       
0      128                                127.0.0.1:ipp                                         *:*       
0      128                                      ::1:ipp                                        :::*       

To view the processes that are using each listening socket, you can run ss with the “-p” option:

$ ss -p

State      Recv-Q Send-Q      Local Address:Port          Peer Address:Port   
CLOSE-WAIT 1      0          192.168.1.1:57666         192.168.1.2:http     users:(("gvfsd-http",16992,14))

To display the amount of memory being consumed by the socket buffers, you can use the ss “-m” option (this is quite handy!):

$ ss -e -m

State       Recv-Q Send-Q                    Local Address:Port                        Peer Address:Port   
CLOSE-WAIT  1      0                        192.168.1.1:57666                       192.168.1.2:http     uid:500 ino:40834026 sk:ffff88022d3b2080
	 mem:(r360,w0,f3736,t0)

Additionally, you can use the ss “-s” option to summarize all of the socket states:

$ ss -s

Total: 571 (kernel 589)
TCP:   17 (estab 10, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0

Transport Total     IP        IPv6
*	  589       -         -        
RAW	  0         0         0        
UDP	  10        6         4        
TCP	  17        14        3        
INET	  27        20        7        
FRAG	  0         0         0       

There are also options to display information about specific socket types (UNIX domain, UDP, TCP, etc), and to dig deep into the connection table information (see the “-i” option for further details). If you have a current release of CentOS, RHEL or Fedora, this awesome tool should be on your system. It’s part of the iproute package.

1 thought on “How to learn everything you ever wanted to know about Linux sockets”

Leave a Reply

Your email address will not be published. Required fields are marked *