本文介绍如何在Linux中使用ss命令来获取网络连接统计信息。ss命令是netstat的现代替代品,能够提供关于TCP、UDP、Unix套接字及原始套接字的详细信息。
The ss command is a modern replacement for the classic netstat. You can use it on Linux to get statistics about your network connections. Here’s how to work with this handy tool.
ss命令是经典netstat的现代替代品。 您可以在Linux上使用它来获取有关网络连接的统计信息。 这是使用此便捷工具的方法。
ss命令与netstat (The ss Command versus netstat )
A replacement for the deprecated netstat command, ss gives you detailed information about how your computer communicates with other computers, networks, and services.
ss替代品已弃用的netstat命令 , 可为您提供有关计算机如何与其他计算机,网络和服务进行通信的详细信息 。
ss displays statistics for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Unix (interprocess), and raw sockets. Raw sockets operate at the network OSI level, which means TCP and UDP headers have to be handled by the application software, not by the transport layer. Internet Control Message Protocol (ICMP) messages and the ping utility both use raw sockets.
ss显示传输控制协议 (TCP), 用户数据报协议 (UDP), Unix(进程间)和原始套接字的统计信息。 原始套接字在网络OSI级别上运行 ,这意味着TCP和UDP标头必须由应用程序软件而非传输层处理。 Internet控制消息协议 (ICMP)消息和ping实用程序都使用原始套接字。
使用ss (Using ss)
You don’t have to install ss, as it’s already part of an up-to-date Linux distribution. Its output, however, can be very long—we’ve had results containing over 630 lines. The results are also very wide.
您不必安装ss ,因为它已经是最新Linux发行版的一部分。 但是,其输出可能会很长-我们的结果包含630多行。 结果也很广泛。
Because of this, we’ve included text representations of the results we obtained, as they wouldn’t fit in a screenshot. We’ve trimmed them to make them more manageable.
因此,我们将所获得结果的文本表示包括在内,因为它们不适合截图。 我们对它们进行了修剪,以使其更易于管理。
列出网络连接 (Listing Network Connections)
Using ss with no command-line options lists sockets that are non-listening. That is, it lists the sockets that aren’t in the listening state.
在不使用命令行选项的情况下使用ss列出未监听的套接字。 也就是说,它列出了未处于侦听状态的套接字。
To see this, type the following:
要查看此内容,请键入以下内容:
ss
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
u_str ESTAB 0 0 * 41826 * 41827
u_str ESTAB 0 0 /run/systemd/journal/stdout 35689 * 35688
u_str ESTAB 0 0 * 35550 * 35551
...
u_str ESTAB 0 0 * 38127 * 38128
u_str ESTAB 0 0 /run/dbus/system_bus_socket 21243 * 21242
u_str ESTAB 0 0 * 19039 * 19040
u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885
u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306
icmp6 UNCONN 0 0 *:ipv6-icmp *:*
udp ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps
The columns are as follows:
列如下:
Netid: The type of socket. In our example, we have “u_str,” a Unix stream, a “udp,” and “icmp6,” an IP version 6 ICMP socket. You can find more descriptions of Linux socket types in the Linux man pages.
Netid :套接字的类型。 在我们的示例中,我们有“ u_str”,一个Unix流,一个“ udp”和一个“ icmp6”,这是一个IP版本6 ICMP套接字。 您可以在Linux 手册页中找到有关Linux套接字类型的更多描述。
State: The state the socket is in.
状态 :套接字所处的状态。
Recv-Q: The number of received packets.
Recv-Q :收到的数据包数。
Send-Q: The number of sent packets.
Send-Q :发送的数据包数。
Local Address:Port: The local address and port (or equivalent values for Unix sockets).
Local Address:Port :本地地址和端口(或Unix套接字的等效值)。
Peer Address:Port: The remote address and port (or equivalent values for Unix sockets).
Peer Address:Port :远程地址和端口(或Unix套接字的等效值)。
For UDP sockets the “State” column is usually blank. For TCP sockets it can be one of the following:
对于UDP套接字,“状态”列通常为空白。 对于TCP套接字,它可以是以下之一:
LISTEN: Server-side only. The socket is waiting for a connection request.
LISTEN:仅服务器端。 套接字正在等待连接请求。
SYN-SENT: Client-side only. This socket has made a connection request and is waiting to see if it’s accepted.
SYN-SENT:仅客户端。 该套接字已发出连接请求,正在等待其是否被接受。
SYN-RECEIVED: Server-side only. This socket is waiting for a connection acknowledgment after accepting a connection request.
SYN-RECEIVED:仅服务器端。 该套接字在接受连接请求后正在等待连接确认。
ESTABLISHED: Server and clients. A working connection has been established between the server and the client, allowing data to be transferred between the two.
成立:服务器和客户端。 服务器和客户端之间已建立工作连接,从而可以在两者之间传输数据。
FIN-WAIT-1: Server and clients. This socket is awaiting a connection termination request from the remote socket, or an acknowledgment of a connection termination request that was previously sent from this socket.
FIN-WAIT-1:服务器和客户端。 该套接字正在等待来自远程套接字的连接终止请求,或者正在等待先前从该套接字发送的连接终止请求的确认。
FIN-WAIT-2: Server and clients. This socket is awaiting a connection termination request from the remote socket.
FIN-WAIT-2:服务器和客户端。 该套接字正在等待来自远程套接字的连接终止请求。
CLOSE-WAIT: Server and client. This socket is awaiting a connection termination request from the local user.
CLOSE-WAIT:服务器和客户端。 该套接字正在等待本地用户的连接终止请求。
CLOSING: Server and clients. This socket is awaiting a connection termination request acknowledgment from the remote socket.
关闭:服务器和客户端。 该套接字正在等待远程套接字的连接终止请求确认。
LAST-ACK: Server and client. This socket is awaiting an acknowledgment of the connection termination request it sent to the remote socket.
LAST-ACK:服务器和客户端。 该套接字正在等待对发送到远程套接字的连接终止请求的确认。
TIME-WAIT: Server and clients. This socket sent an acknowledgment to the remote socket to let it know it received the remote socket’s termination request. It’s now waiting to make sure that acknowledgment was received.
TIME-WAIT:服务器和客户端。 该套接字向远程套接字发送了一个确认,以使其知道已收到远程套接字的终止请求。 现在正在等待确保已收到确认。
CLOSED: There is no connection, so the socket has been terminated.
CLOSED:没有连接,因此套接字已终止。
列出监听套接字 (Listing Listening Sockets)
To see the listening sockets we’ll add the -l (listening) option, like so:
要查看监听套接字,我们将添加-l (侦听)选项,如下所示:
ss -l
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
nl UNCONN 0 0 rtnl:NetworkManager/535 *
nl UNCONN 0 0 rtnl:evolution-addre/2987 *
...
u_str LISTEN 0 4096 /run/systemd/private 13349 * 0
u_seq LISTEN 0 4096 /run/udev/control 13376 * 0
u_str LISTEN 0 4096 /tmp/.X11-unix/X0 33071 * 0
u_dgr UNCONN 0 0 /run/systemd/journal/syslog 13360 * 0
u_str LISTEN 0 4096 /run/systemd/fsck.progress 13362 * 0
u_dgr UNCONN 0 0 /run/user/1000/systemd/notify 32303 * 0
These sockets are all unconnected and listening. The “rtnl” means routing netlink, which is used to transfer information between kernel and userspace processes.
这些套接字都未连接并且正在监听。 “ rtnl”表示路由网络链接,用于在内核和用户空间进程之间传输信息。
列出所有套接字 (Listing All Sockets)
To list all sockets, you can use the -a (all) option:
要列出所有套接字,可以使用-a (所有)选项:
ss -a
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
nl UNCONN 0 0 rtnl:NetworkManager/535 *
nl UNCONN 0 0 rtnl:evolution-addre/2987 *
...
u_str LISTEN 0 100 public/showq 23222 * 0
u_str LISTEN 0 100 private/error 23225 * 0
u_str LISTEN 0 100 private/retry 23228 * 0
...
udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:*
...
tcp LISTEN 0 128 [::]:ssh [::]:*
tcp LISTEN 0 5 [::1]:ipp [::]:*
tcp LISTEN 0 100 [::1]:smtp [::]:*
The output contains all sockets, regardless of state.
输出包含所有套接字,无论状态如何。
列出TCP套接字 (Listing TCP Sockets)
You can also apply a filter so only matching sockets are displayed. We’ll use the -t (TCP) option, so only TCP sockets will be listed:
您也可以应用过滤器,以便仅显示匹配的套接字。 我们将使用-t (TCP)选项,因此仅列出TCP套接字:
ss -a -t
ss -a -t
列出UDP套接字 (Listing UDP Sockets)
The -u (UDP) option performs the same type of filtering action. This time, we’ll see only UDP sockets:
-u (UDP)选项执行相同类型的过滤操作。 这次,我们将仅看到UDP套接字:
ss -a -u
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 0.0.0.0:631 0.0.0.0:*
UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:*
UNCONN 0 0 0.0.0.0:60734 0.0.0.0:*
UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps
UNCONN 0 0 [::]:mdns [::]:*
UNCONN 0 0 [::]:51193 [::]:*
列出Unix套接字 (Listing Unix Sockets)
To see only Unix sockets, you can include the -x (Unix) option, as shown below:
要仅查看Unix套接字,可以包括-x (Unix)选项,如下所示:
ss -a -x
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
u_str ESTAB 0 0 * 41826 * 41827
u_str ESTAB 0 0 * 23183 * 23184
u_str ESTAB 28 0 @/tmp/.X11-unix/X0 52640 * 52639
...
u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885
u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306
列出原始套接字 (Listing Raw Sockets)
The filter for raw sockets is the -w (raw) option:
原始套接字的过滤器是-w (原始)选项:
ss -a -w
列出IP版本4套接字 (Listing IP Version 4 Sockets)
Sockets using the TCP/IP version 4 protocol can be listed using the -4 (IPV4) option:
可以使用-4 (IPV4)选项列出使用TCP / IP版本4协议的套接字:
ss -a -4
列出IP版本6套接字 (Listing IP Version 6 Sockets)
You can turn on the matching IP version 6 filter with the -6 (IPV6) option, like so:
您可以使用-6 (IPV6)选项打开匹配的IP版本6过滤器,如下所示:
ss -a -6
按状态列出套接字 (Listing Sockets By State)
You can list sockets by the state in which they’re in with the state option. This works with established, listening, or closed states. We’ll also use the resolve option (-r), which tries to resolve network addresses to names, and ports to protocols.
您可以使用state选项按套接字所在的状态列出它们。 这适用于已建立,正在侦听或已关闭状态。 我们还将使用resolve选项( -r ),该选项尝试将网络地址解析为名称,并将端口解析为协议。
The following command will look for established TCP connections, and ss will try to resolve the names:
以下命令将查找已建立的TCP连接,并且ss将尝试解析名称:
ss -t -r state established
Four connections are listed that are in the established state. The hostname, ubuntu20-04, has been resolved and “ssh” is shown instead of 22 for the SSH connection on the second line.
列出了处于建立状态的四个连接。 主机名ubuntu20-04已解决,第二行的SSH连接显示为“ ssh”而不是22。
We can repeat this to look for sockets in the listening state:
我们可以重复此操作以在侦听状态下查找套接字:
ss -t -r state listening
Recv-Q Send-Q Local Address:Port Peer Address:Port Process
0 128 localhost:5939 0.0.0.0:*
0 4096 localhost%lo:domain 0.0.0.0:*
0 128 0.0.0.0:ssh 0.0.0.0:*
0 5 localhost:ipp 0.0.0.0:*
0 100 localhost:smtp 0.0.0.0:*
0 128 [::]:ssh [::]:*
0 5 ip6-localhost:ipp [::]:*
0 100 ip6-localhost:smtp [::]:*
按协议列出套接字 (Listing Sockets By Protocol)
You can list the sockets using a particular protocol with the dport and sport options, which represent the destination and source ports, respectively.
您可以使用带有dport和sport选项的特定协议列出套接字,它们分别代表目标端口和源端口。
We type the following to list sockets using the HTTPS protocol on an established connection (note the space after the opening parenthesis and before the closing one):
我们键入以下内容以在已established连接上使用HTTPS协议列出套接字(请注意,在左括号之后和在结束括号之前的空间):
ss -a state established ‘( dport = :https or sport = :https )’
We can use the protocol name or the port usually associated with that protocol. The default port for Secure Shell (SSH) is port 22.
我们可以使用协议名称或通常与该协议关联的端口。 Secure Shell (SSH)的默认端口是端口22。
We’ll use the protocol name in one command, and then repeat it using the port number:
我们将在一个命令中使用协议名称,然后使用端口号重复它:
ss -a ‘( dport = :ssh or sport = :ssh )’
ss -a ‘( dport = :22 or sport = :22 )’
As expected, we get the same results.
正如预期的那样,我们得到了相同的结果。
列出到特定IP地址的连接 (Listing Connections to a Specific IP Address)
With the dst (destination) option, we can list connections to a particular destination IP address.
使用dst (目标)选项,我们可以列出到特定目标IP地址的连接。
We type the following:
我们输入以下内容:
ss -a dst 192.168.4.25
识别过程 (Identifying Processes)
To see which processes are using the sockets, you can use the processes option (-p), as shown below (note you must use sudo):
要查看哪些进程正在使用套接字,可以使用进程选项( -p ),如下所示(请注意,您必须使用sudo ):
sudo ss -t -p
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 192.168.4.28:57650 54.218.19.119:https users:(("firefox",pid=3378,fd=151))
ESTAB 0 0 192.168.4.28:ssh 192.168.4.25:43946 users:(("sshd",pid=4086,fd=4),("sshd",pid=3985,fd=4))
This shows us that the two established connections on TCP sockets are being used by the SSH daemon and Firefox.
这向我们显示SSH守护程序和Firefox正在使用TCP套接字上的两个已建立的连接。
值得继任者 (A Worthy Successor)
The ss command provides the same information previously supplied by netstat, but in a simpler, more accessible way. You can check out the man page for more options and tips.
ss命令提供以前由netstat提供的相同信息,但是以更简单,更易访问的方式提供。 您可以查看手册页以获取更多选项和提示。
翻译自: https://www.howtogeek.com/681468/how-to-use-the-ss-command-on-linux/
扫一扫
807
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
