该文档在 Debian 9 软件包中可用，但在以后的版本中被删除，因为它已经过时了。手册页现在应该是完整的文档。（但关于过滤器的细节并没有太多可说的。）

       FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
              Please take a look at the official documentation for details regarding filters.

STATE-FILTER
       STATE-FILTER allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and  exclude  fol‐
       lowed by identifier of state.

       Available identifiers are:

              All  standard TCP states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-
              ack, listening and closing.

              all - for all the states

              connected - all the states except for listening and closed

              synchronized - all the connected states except for syn-sent

              bucket - states, which are maintained as minisockets, i.e.  time-wait and syn-recv

              big - opposite to bucket
...

   ss -o state established '( dport = :ssh or sport = :ssh )'
          Display all established ssh connections.

   ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24
          List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.

所以

ss [options] [ FILTER ]

可以扩展为

ss [options] [ state STATE-FILTER ] [ EXPRESSION ]

选项在哪里

[-hVHnraloempiKsZNb460tudwxS] [-f FAMILY] [-A QUERY] [-D FILE] [-D FILE]

状态过滤器是其中之一

established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listening, closing, all, connected, synchronized, bucket, big

我们可以从示例中推断出EXPRESSION 是ip-rule SELECTOR的列表。

SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ] [ uidrange NUMBER-NUMBER ] [ ipproto PROTOCOL ] [ sport [ NUMBER | NUMBER-NUMBER ] ] [ dport [ NUMBER | NUMBER-NUMBER ] ] [ tun_id TUN_ID ]

我想知道同样的事情，其他提供源链接的答案和评论非常有帮助。

整体FILTER语法仍然有点混乱，但基于 Linode 的一个示例，该示例显示了如何检查高于安全（需要根）范围的端口和源，我能够组合一个“复杂”过滤器来检查打开的端口一个特定的范围。

所有这三个示例在功能上都是等效的：

ss -a -t '( dport geq :5900 and dport leq :5999 or sport geq :5900 and sport leq :5999 )'

ss -a -t '( dport >= :5900 and dport <= :5999 or sport >= :5900 and sport <= :5999 )'

ss -a -t '( dport >= :5900 & dport <= :5999 | sport >= :5900 & sport <= :5999 )'

在这种情况下，我正在寻找的端口与 VNC 相关，因为 Hashicorp 的 Vagrant 和 Packer 工具（以及它们与之交互的虚拟化工具，如 Virtualbox/VMware/libvirt）将自动分配此范围内的端口用于虚拟机器启动“无头”，以便您可以与 VM 控制台交互，而无需发送原始击键。

让我感到困惑的部分是它在源代码中具有GEQ，LEQ但实际的过滤器语法要求它们是小写字母或符号表示形式>=or <=，而在源代码中您可以看到eq定义为小写字母。

另一个偷偷摸摸/令人困惑的事情是，=所有这些都是为了平等eq而==工作。

这可能会有所帮助

https://www.apt-browse.org/browse/ubuntu/trusty/main/all/iproute2-doc/3.12.0-2/file/usr/share/doc/iproute2-doc/ss.html

SS 实用程序：快速介绍

阿列克谢·库兹涅托夫，[email protected]

1. 为什么？

/proc界面不完善，可惜了。当套接字的数量足够大，netstat甚至普通时cat /proc/net/tcp/，只会引起痛苦和诅咒。在 linux-2.4 中，情况变得更糟：即使套接字数量很小，读取/proc/net/tcp/速度也足够慢。

该实用程序提供了一种新方法，应该可以很好地扩展。我不打算在这里描述技术细节，而是专注于命令的描述。唯一要说的是，加载模块也不错tcp_diag，可以在.目录 Modules下找到iproute2。如果你不这样做ss ，它会起作用，但它会回落/proc并变得缓慢，比如netstat，嗯，快一点（参见“一些数字”部分）。

2. 旧闻

最简单的形式ss相当于 netstat 有一些小的偏差。

• ss -t -a转储所有 TCP 套接字
• ss -u -a转储所有 UDP 套接字
• ss -w -a转储所有 RAW 套接字
• ss -x -a转储所有 UNIX 套接字

选项-o显示 TCP 计时器状态。选项-e显示一些扩展信息。etc. etc. etc. 似乎，所有与套接字相关的 netstat 选项都支持。虽然不是 AX.25 和其他奇怪的东西。:-) 如果有人愿意，他可以支持 decnet 和 ipx。iproute2 libutils 中已经存在对它们的一些基本支持，我很高兴看到这些新成员。

但是，标准功能有点不同：

第一个：-a在状态中没有选项套接字 TIME-WAIT并且SYN-RECV也被跳过。我认为这是更合理的默认设置。

第二：UNIX套接字的格式不同。它与 tcp/udp 相吻合。尽管标准内核仍然不允许查看连接的 UNIX 套接字的写入/读取队列和对等地址，但存在这样做的补丁。

第三个：默认是只转储 TCP 套接字，而不是所有类型。

下一个：默认情况下它不解析数字主机地址（如ip）！使用选项启用解析-r。服务名称通常存储在本地文件中，默认情况下会被解析。此外，如果服务数据库不包含对端口的引用，则ss查询 system rpcbind。RPC 服务的前缀为rpc. Resolution of services may be suppressed with option -n。

它不接受“长”选项（我不喜欢它们，抱歉）。因此，地址族与族标识符一起给出，遵循-fiproute2 约定的选项。大多数情况下，它是允许选项解析器正确解析地址，但作为副作用，它确实限制了转储到仅支持给定系列的套接字。-A还支持后跟要转储的套接字表列表的选项。从逻辑上讲，socket表的id和_address_family是不同的，这是另一个不兼容的点。所以， id 是 all, tcp, udp, raw, inet, unix, packet,之一netlink。看？嗯，inet只是缩写，tcp|udp|raw 不难猜到packet允许查看数据包套接字。实际上，还有一些其他的缩写，feunix_dgram只选择数据报 UNIX 套接字。

下一个：嗯，我还是不知道。:-)

3. 是时候谈谈新功能了。

它是对套接字列表的内置过滤。

3.1 按状态过滤。

ss允许过滤套接字状态，使用关键字 stateand exclude，后跟一些状态标识符。

状态标识符是标准的 TCP 状态名称（未列出，如果您不知道它们，它们对您毫无用处）或缩写：

• all - 对于所有州
• bucket - 对于 TCP minisockets ( TIME-WAIT|SYN-RECV)
• big - 所有除了迷你插座
• connected - 不关闭也不听
• synchronized- 连接而不是SYN-SENT

Fe 转储所有 tcp 套接字，除了SYN-RECV：

   ss exclude SYN-RECV

如果既不存在state也不exclude存在指令，则状态过滤器默认为allwith option-a 或 to all，不包括侦听、同步接收、时间等待和关闭的套接字。

3.2 按地址和端口过滤。

选项列表可能包含地址/端口过滤器。它是由布尔运算 , 和谓词组成的 or布尔and表达式not。实际上，布尔运算的所有名称都被吃掉了： &, &&, |, ||, !，但不要忘记 unix shell 赋予这些符号的特殊含义，并在从命令行使用时正确转义它们。

谓词可能有以下几种：

• A. 地址/端口匹配，根据掩码检查地址，端口是通配符或精确。它是以下之一：

          dst prefix:port
          src prefix:port
          src unix:STRING
          src link:protocol:ifindex
          src nl:channel:pid
  

  前缀和端口都可以不存在或替换为*，这意味着通配符。UNIX 套接字使用更强大的方案通过 shell 通配符匹配套接字名称。此外，前缀 unix: 和 link: 可以省略，如果地址族从上下文中显而易见（带有选项-x或带有-f unix 或带有unix关键字）

  铁

          dst 10.0.0.1
          dst 10.0.0.1:
          dst 10.0.0.1/32:
          dst 10.0.0.1:*
  

  是等效的，表示连接到主机 10.0.0.1 上的任何端口的套接字

          dst 10.0.0.0/24:22
  

  连接到网络 10.0.0.0...255 上的端口 22 的套接字。

  请注意，端口与地址用冒号分隔，这会给 IPv6 地址带来麻烦。通常，我们将最后一个冒号解释为拆分端口。为了允许提供 IPv6 地址，可以使用 IPv6 HTTP URL 中使用的技巧：

        dst [::1]
  

  任何端口上连接到 ::1 的套接字

  另一种方式是dst ::1128/。/ 有助于理解冒号是 IPv6 地址的一部分。

  现在我们可以为dst 10.0.0.1: 添加另一个别名dst [10.0.0.1]。:-)

  地址可以是 DNS 名称。在这种情况下，会查找所有地址（在所有地址族中，如果它不受选项-f 或特殊地址前缀inet:,限制inet6），结果表达式将or覆盖所有地址。

• B. 端口表达式：

        dport >= :1024
        dport != :22
        sport < :32000
  

  等等

  所有关系：<, >, =, >=, =, ==, !=, eq, ge, lt, ne... 使用您更喜欢的变体，但在命令行中键入特殊字符时不要忘记转义特殊字符。:-)

  请注意，端口号在语法上与案例 A 一致！你甚至可以添加一个 IP 地址，但它不会参与比较，除了==and !=，它相当于 AFe 类型的相应谓词

  dst 10.0.0.1:22 等价于 dport eq 10.0.0.1:22 并且 not dst 10.0.0.1:22 等价于 dport neq 10.0.0.1:22

• C. 关键字autobound。它与本地系统上自动绑定的套接字匹配。

4. 例子

• 1. 列出我们的 apache 到网络 193.233.7/24 的所有处于状态的 tcp 套接字，FIN-WAIT-1并查看它们的计时器：

     ss -o state fin-wait-1 \( sport = :http or sport = :https \) \
                            dst 193.233.7/24
  

  哎呀，忘了说缺少逻辑操作相当于and.

• 2. 好吧，现在看看剩下的……

     ss -o excl fin-wait-1
     ss state fin-wait-1 \( sport neq :http and sport neq :https \) \
                         or not dst 193.233.7/24
  

  请注意，我们必须执行两次ss 调用才能执行此操作。状态匹配总是与地址/端口匹配。这样做的原因纯粹是技术性的：ss 在解析地址之前会快速跳过不匹配的状态，我认为快速跳过时间等待和同步接收套接字的能力比逻辑通用性更重要。

• 3. 那么，让我们看看我们所有使用自动绑定端口的套接字：

     ss -a -A all autobound
  

• 4. 并最终找到所有连接到本地 X 服务器的本地进程：

     ss -xp dst "/tmp/.X11-unix/*"
  

  对不起，这不适用于当前内核，需要打补丁。但是我们仍然可以查看服务器端：

     ss -x src "/tmp/.X11-unix/*"
  

5. 返地：真人手册

5.1 命令参数

参数的一般格式ss为：

       ss [ OPTIONS ] [ STATE-FILTER ] [ ADDRESS-FILTER ]

OPTIONS

OPTIONS是单字母选项列表，使用常见的 unix 约定。

• -h - 显示帮助页面
• -? - 当然是一样的
• -v, -V - print version of ss and exit
• -s - print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful.
• -D FILE - do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used.
• -F FILE - read continuation of filter from FILE. Each line of FILE is interpreted like single command line option. If FILE is - stdin is used.
• -r - try to resolve numeric address/ports
• -n - do not try to resolve ports
• -o - show some optional information, f.e. TCP timers
• -i - show some infomration specific to TCP (RTO, congestion window, slow start threshould etc.)
• -e - show even more optional information
• -m - show extended information on memory used by the socket. It is available only with tcp_diag enabled.
• -p - show list of processes owning the socket
• -f FAMILY - default address family used for parsing addresses. Also this option limits listing to sockets supporting given address family. Currently the following families are supported: unix, inet, inet6, link, netlink.
• -4 - alias for -f inet
• -6 - alias for -f inet6
• -0 - alias for -f link
• -A LIST-OF-TABLES - list of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, packet_raw, packet_dgram.
• -x - alias for -A unix
• -t - alias for -A tcp
• -u - alias for -A udp
• -w - alias for -A raw
• -a - show sockets of all the states. By default sockets in states LISTEN, TIME-WAIT, SYN_RECV and CLOSE are skipped.
• -l - show only sockets in state LISTEN

STATE-FILTER

STATE-FILTER allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and exclude followed by identifier of state. Available identifiers are:

• All standard TCP states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen and closing.
• all - for all the states
• connected - all the states except for listen and closed
• synchronized - all the connected states except for syn-sent
• bucket - states, which are maintained as minisockets, i.e. time-wait and syn-recv.
• big - opposite to bucket

ADDRESS_FILTER

ADDRESS_FILTER is boolean expression with operations and, or and not, which can be abbreviated in C style f.e. as &, &&.

Predicates check socket addresses, both local and remote. There are the following kinds of predicates:

• dst ADDRESS_PATTERN - matches remote address and port
• src ADDRESS_PATTERN - matches local address and port
• dport RELOP PORT - compares remote port to a number
• sport RELOP PORT - compares local port to a number
• autobound - checks that socket is bound to an ephemeral port

RELOP is some of <=, >=, == etc. To make this more convinient for use in unix shell, alphabetic FORTRAN-like notations le, gt etc. are accepted as well.

The format and semantics of ADDRESS_PATTERN depends on address family.

• inet - ADDRESS_PATTERN consists of IP prefix, optionally followed by colon and port. If prefix or port part is absent or replaced with *, this means wildcard match.
• inet6 - The same as inet, only prefix refers to an IPv6 address. Unlike inet colon becomes ambiguous, so that ss allows to use scheme, like used in URLs, where address is suppounded with [ ... ].
• unix - ADDRESS_PATTERN is shell-style wildcard.
• packet - format looks like inet, only interface index stays instead of port and link layer protocol id instead of address.
• netlink - format looks like inet, only socket pid stays instead of port and netlink channel instead of address.

PORT is syntactically ADDRESS_PATTERN with wildcard address part. Certainly, it is undefined for UNIX sockets.

5.2 Environment variables

ss allows to change source of information using various environment variables:

• PROC_SLABINFO to override /proc/slabinfo
• PROC_NET_TCP to override /proc/net/tcp
• PROC_NET_UDP to override /proc/net/udp
• etc.

Variable PROC_ROOT allows to change root of all the /proc/ hierarchy.

Variable TCPDIAG_FILE prescribes to open a file instead of requesting kernel to dump information about TCP sockets.

This option is used mainly to investigate bug reports, when dumps of files usually found in /proc/ are recevied by e-mail.

5.3 Output format

Six columns. The first is Netid, it denotes socket type and transport protocol, when it is ambiguous: tcp, udp, raw, u_str is abbreviation for unix_stream, u_dgr for UNIX datagram sockets, nl for netlink, p_raw and p_dgr for raw and datagram packet sockets. This column is optional, it will be hidden, if filter selects an unique netid.

The second column is State. Socket state is displayed here. The names are standard TCP names, except for UNCONN, which cannot happen for TCP, but normal for not connected sockets of another types. Again, this column can be hidden.

Then two columns (Recv-Q and Send-Q) showing amount of data queued for receive and transmit.

And the last two columns display local address and port of the socket and its peer address, if the socket is connected.

If options -o, -e or -p were given, options are displayed not in fixed positions but separated by spaces pairs: option:value. If value is not a single number, it is presented as list of values, enclosed to ( ... ) and separated with commas. F.e.

   timer:(keepalive,111min,0)

is typical format for TCP timer (option -o).

   users:((X,113,3))

is typical for list of users (option -p).

6. Some numbers

Well, let us use pidentd and a tool ibench to measure its performance. It is 30 requests per second here. Nothing to test, it is too slow. OK, let us patch pidentd with patch from directory Patches. After this it handles about 4300 requests per second and becomes handy tool to pollute socket tables with lots of timewait buckets.

So, each test starts from pollution tables with 30000 sockets and then doing full dump of the table piped to wc and measuring timings with time:

Results:

• netstat -at - 15.6 seconds
• ss -atr, but without tcp_diag - 5.4 seconds
• ss -atr with tcp_diag - 0.47 seconds

No comments. Though one comment is necessary, most of time without tcp_diag is wasted inside kernel with completely blocked networking. More than 10 seconds, yes. tcp_diag does the same work for 100 milliseconds of system time.