socket to me

PLUG_25th_anniversary_banner__image_height_100_

Replacing netstat sockets using ss
PLUG
2019Aug08
der.hans
https://floss.social/@FLOX_advocate
https://mastodon.social/@lufthans

about netstat

from netstat(8), obsolete
       This  program  is  mostly  obsolete.   Replacement  for  netstat is ss.
       Replacement for netstat -r is ip route.  Replacement for netstat -i  is
       ip -s link.  Replacement for netstat -g is ip maddr.
from netstat(8), what it does
       netstat  - Print network connections, routing tables, interface statis-
       tics, masquerade connections, and multicast memberships

netstat socket tools

netstat

from netstat(8), default to sockets
       By  default,  netstat  displays  a  list of open sockets.  If you don't
       specify any address families, then the active sockets of all configured
       address families will be printed.

polls /proc

ss

displays socket information

faster with more capabilities

queries kernel space

ss packages

part of iproute2 package in debian-based distributions

part of iproute-2 package in debian-based distributions

probably installed by default

HINT

ss != ssh

socket types

bare ss

ss
ss(8)
 When no option is used ss displays a list of open non-listening sockets
       (e.g. TCP/UNIX/UDP) that have established connection.

summary

ss -s

listening services

ss -l

TCP sockets

ss -t

listening TCP services without name resolution

ss -tln

listening UDP services without name resolution

ss -uln

listening TCP ports including process info if accessible

ss -tlnp

listening TCP ports including process info

sudo ss -tlnp

all listening and connected TCP ports

ss -ant

talking to your SSH server

ss -tn sport = :22

established SSH connections

ss -to state established '( dport = :ssh or sport = :ssh )'
ss -tn '( dport = :ssh or sport = :ssh )'

searchable states

established remote web connections

ss -o state established '( dport = :https or dport = :http )'
ss -nt '( dst :443 or dst :80 )'
ss -nt dst :443 or dst :80

server side

show TCP sockets in FIN-WAIT-1 TCP connected to your web server from internal network
ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 192.168/16

all SSH connections?

ss -tan '( dport = :ssh or sport = :ssh )'

verifying the SSH tunnel

$ ss -to state established dport = :2222
Recv-Q    Send-Q            Local Address:Port            Peer Address:Port
0         0                     127.0.0.1:53145              127.0.0.1:2222      timer:(keepalive,41min,0)
$ ss -tp sport = :53145
State   Recv-Q    Send-Q        Local Address:Port         Peer Address:Port
ESTAB   0         0                 127.0.0.1:53145           127.0.0.1:2222     users:(("ssh",pid=16984,fd=3)
lufthans 16984  0.0  0.0  53468  5884 pts/1    S+   21:12   0:00 ssh -p 2222 localhost

connections per network

remote ports
ss dst $cidr:$port
local ports
ss src $cidr:$port
example
$ ss dst 192.168/16:22
Netid State  Recv-Q   Send-Q       Local Address:Port        Peer Address:Port
tcp   ESTAB  0        0           192.168.1.4:48538     192.168.1.14:ssh
tcp   ESTAB  0        0           192.168.1.4:35830     192.168.1.15:ssh

port ranges

why 1023?
ss -tn dport \> :1023

IPv4 and IPv6

ss -tln -4
ss -tln -6

what’s talking to X?

ss -x src /tmp/.X11-unix/*

count of TCP connections

ss -tn | wc -l

count of all connections

ss -an | wc -l

Resources

Thank you!