学步园

http://blog.lifeibo.com/?p=244

在实际工作中，熟练使用工具，可以为我们提高不少效率。今天我们简单了解下ss工具的使用。ss即socket state，也就是说，是可以查看系统中socket的状态的。我们可以用netstat，但为什么还要用ss这个工具呢，当然ss也是有好处的。当我们打开的socket数量很多时，netstat就会变得慢了。

我们先来看看ss的使用格式：

$ ss [ OPTIONS ] [ STATE-FILTER ] [ ADDRESS-FILTER ]

options我从man手册里摘了过来：

-h – show help page
-? – the same, of course
-v, -V – print version of ss and exit
-s – print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful.
-D FILE – do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is – stdout is used.
-F FILE – read continuation of filter from FILE. Each line of FILE is interpreted like single command line option. If FILE is – stdin is used.
-r – try to resolve numeric address/ports
-n – do not try to resolve ports
-o – show some optional information, f.e. TCP timers
-i – show some infomration specific to TCP (RTO, congestion window, slow start threshould etc.)
-e – show even more optional information
-m – show extended information on memory used by the socket. It is available only with tcp_diag enabled.
-p – show list of processes owning the socket
-f FAMILY – default address family used for parsing addresses. Also this option limits listing to sockets supporting given address family. Currently the following families are supported: unix, inet, inet6, link, netlink.
-4 – alias for -f inet
-6 – alias for -f inet6
-0 – alias for -f link
-A LIST-OF-TABLES – list of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, packet_raw, packet_dgram.
-x – alias for -A unix
-t – alias for -A tcp
-u – alias for -A udp
-w – alias for -A raw
-a – show sockets of all the states. By default sockets in states LISTEN, TIME-WAIT, SYN_RECV and CLOSE are skipped.
-l – show only sockets in state LISTEN

ss的强大之处，大于可以设定过滤条件，我们可以根据socket的状态来进行过滤，也可通过端口与ip地址进行过滤。也就是我们在命令格式里面看到的STATE-FILTER与ADDRESS-FILTER。

首先看看STATE-FILTER，STATE-FILTER可用的过滤条件有:
1. 所有的TCP状态，包含：established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen and closing.
2. all，包含所有的状态。
3. connected，除了listen与closed的所有其它状态。
4. synchronized，除了syn-sent的所有connected的状态。
5. bucket
6. big
使用时，如：

$ ss state connected

再看看ADDRESS-FILTER，ADDRESS-FILTER用于过滤端口与地址。而且可以进行表达式组合。可用的子表达式有：
1. dst ADDRESS_PATTERN
2. src ADDRESS_PATTERN
3. dport RELOP PORT
4. sport RELOP PORT
5. autobound
其中ADDRESS_PATTERN为ip地址与端口匹配，ip:port，可以用*代替。RELOP为<= >=或==。
如:

$ ss dst 192.168.0.1:80
      $ ss dport == 80

多个子表达式之间可以组合，当然跟tcpdump一样，可以用or and not来组合。但括号要用转义符号表示。
如：

$ ss -o state fin-wait-1 \( sport = :http or sport = :https \) dst 193.233.7/24

看看几个例子：
查看系统总体信息：

$ ss -s
Total: 85 (kernel 108)
TCP:   15 (estab 4, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 12

Transport Total     IP        IPv6
*	  108       -         -
RAW	  0         0         0
UDP	  10        7         3
TCP	  15        12        3
INET	  25        19        6
FRAG	  0         0         0

想看当前机器的8088端口被谁占用了：

$ ss -lp src :8088
   Recv-Q Send-Q                                                       Local Address:P
0      0                                                                        *:8ers:(("nginx",2942,5),("nginx",2943,5))

我们可以看到，是一个叫nginx的进程，进程id是2942。
当然，用lsof工具也可以看到，还会更简单呢。lsof -i :80

好吧，就先简单介绍到这了。