netstat It's a very practical socket View command . But someone commented that it has been ss（Socket Statistics） Replaced the , So this so-called substitution netstat The order of , How to use it in the end ？ Why can it replace netstat？

Why use ss

It is worth noting that , Almost all linux The system supports by default netstat command , Not necessarily support ss, From this point of view ,netstat Usually there is no other choice . But I have to admit that ,ss Commands are faster and more efficient .

netstat from proc The file system gets the information it needs , and ss utilize netlink Mechanism , Communicate with the kernel , adopt TCP Protocol stack tcp_diag Module obtains first-hand kernel information . Of course, these are not the focus of our attention , Let's see ss How to use commands .

see TCP/UDP Connect

Use -t（TCP） Parameter view TCP Connect , While using -u(UDP) Parameter view UDP socket：

$ ss -t
State       Recv-Q Send-Q                                     Local Address:Port                                                      Peer Address:Port                
ESTAB       0      0                                          192.168.0.103:56296                                                   113.107.216.82:https                
ESTAB       0      0                                          192.168.0.103:56540                                                  185.199.108.153:https                
ESTAB       0      0                                              127.0.0.1:socks                                                        127.0.0.1:44452                
ESTAB       0      0                                              127.0.0.1:42150                                                        127.0.0.1:9614 

among state Shows the status of the current connection , For example, the first line of the result is ESTABLISHED state ,Local Address:port Representing local connections ip And port number . In addition, use -n Parameters display in numerical form ip And port .

see socket Process information

After viewing a connection , How to know which process is connected ？ Use -p（processes） that will do , for example ：

$ ss -tp
State       Recv-Q Send-Q                                     Local Address:Port                                                      Peer Address:Port                
ESTAB       0      0                                              127.0.0.1:42150                                                        127.0.0.1:9614                  users:(("chrome",pid=2578,fd=347))
ESTAB       0      0                                              127.0.0.1:41910                                                        127.0.0.1:9614                  users:(("chrome",pid=2578,fd=383))

Drag the scroll bar to the end to see ,-p Parameter shows the process information of this connection , for example , For the first result , You can see , The process is chrome, process id by 2578, And the file descriptor of this connection is 383.

View in a specific state socket

We know , about TCP connection , Its state is different in different stages , Common states are

ESTABLISHED Established
CLOSED closed
LISTENING Monitoring
FIN-WAIT-2 Wait for the connection to close
TIME-WAIT Wait long enough , Make sure the server closes the connection properly
……
There are many other States , We'll save it for the introduction TCP Time to expand .

How to view connections in a specific state ？ for example , To view in LISTENING State connection ：

$ ss -t state LISTENING
Recv-Q Send-Q                                          Local Address:Port                                                           Peer Address:Port                
0      5                                                   127.0.1.1:domain                                                                    *:*                    
0      128                                                 127.0.0.1:5941                                                                      *:*                    
0      5                                                   127.0.0.1:ipp                                                                       *:*

Use state Options to view . Of course for LISTENING state , You can also use -l Parameters .

besides , There are also the following parameters , Used to view a certain type of status , for example ：
all All types
connected except closed and listen Connected state other than state
synchronized except syn-sent External state

see TCP Relevant timer information

We know that TCP in , There are many timers , and netstat equally , have access to -o Parameters display timer related information ：

$ ss -to
State       Recv-Q Send-Q                                     Local Address:Port                                                      Peer Address:Port                
ESTAB       0      0                                              127.0.0.1:44660                                                        127.0.0.1:socks                 timer:(keepalive,4min42sec,0)
ESTAB       0      0                                          192.168.0.103:60306                                                    203.208.41.37:https                 timer:(keepalive,9.956ms,0)
ESTAB       0      0  

For example, as shown above keepalive Timer time remaining ：

timer:(keepalive,9.956ms,0)

see socket Details

If you want to see more details about the connection ？ For example, how much data is received ？ the previous ACK When is it ？mss How big is it? ？ What is the congestion window size ？ This information is being analyzed and understood TCP It's very helpful when , To view this information, you only need to use -i(information) Parameters can be ：

$ ss -ti  #( It's a long story , A lot of information is omitted , Executable attempts )
cubic wscale:7,7 rto:204 rtt:2.302/4.528 ato:40 mss:23488 cwnd:10 bytes_acked:1560 bytes_received:3907 segs_out:18 segs_in:20 send 816.3Mbps lastsnd:1384 lastrcv:1384 lastack:1384 pacing_rate 1632.1Mbps rcv_rtt:546 rcv_space:43690

Because there are many displayed contents , I won't post it here , Try it yourself , It shows TCP A lot of key information .

see socket Memory usage

Use -m（memory） Parameter to view the memory information used by the connection ：

$ ss -tm  # Only the memory part information is displayed 
skmem:(r0,rb374400,t0,tb46080,f0,w0,o0,bl0)

Due to more information , Only the memory part is shown here , The brackets from left to right represent ：

Memory allocated for receiving messages
Allocable memory for receiving messages
Memory allocated for sending messages
Allocable memory for sending messages
socket Cache used
Memory allocated for messages to be sent
preservation socket Memory used by option
Memory used by connection queue
Show socket Statistics

Use -s(summary) View overall statistics

$ ss -s
Total: 1379 (kernel 2907)
TCP:   68 (estab 58, closed 1, orphaned 0, synrecv 0, timewait 1/0), ports 0

Transport Total     IP        IPv6
*        2907      -         -        
RAW      1         0         1        
UDP      13        8         5        
TCP      67        47        20       
INET      81        55        26       
FRAG      0         0         0   

We can see from the statistical results , share 67 individual TCP Connect .