What does the output of 'ss -s' mean?
I have a problem understanding the output of the Linux ss (socket statistics) command. I can not understand the meaning of the output of ss -s
For example:
[root@dls2304-1 ~]# ss -s
Total: 973 (kernel 996)
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333
Transport Total IP IPv6
* 996 - -
RAW 1 1 0
UDP 157 128 29
TCP 527 512 15
INET 685 641 44
FRAG 0 0 0
My questions:
What does Total: 973 (kernel 996) mean? What is Total and what is kernel? Why Total seems to be smaller than kernel?
In the line TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333, what does the word ports mean?
And this:
Transport Total IP IPv6
* 996 - -
What does the asterisk (*) mean?
They are way over my head. I can not find document about the spec of the output for ss command. Can you help me out?
linux networking bash iproute2
edited Mar 4 '15 at 3:20
JakeGould
31.5k1096138
asked Mar 4 '15 at 1:24
ruanhaoruanhao
13019
add a comment |
I have a problem understanding the output of the Linux ss (socket statistics) command. I can not understand the meaning of the output of ss -s
For example:
[root@dls2304-1 ~]# ss -s
Total: 973 (kernel 996)
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333
Transport Total IP IPv6
* 996 - -
RAW 1 1 0
UDP 157 128 29
TCP 527 512 15
INET 685 641 44
FRAG 0 0 0
My questions:
What does Total: 973 (kernel 996) mean? What is Total and what is kernel? Why Total seems to be smaller than kernel?
In the line TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333, what does the word ports mean?
And this:
Transport Total IP IPv6
* 996 - -
What does the asterisk (*) mean?
They are way over my head. I can not find document about the spec of the output for ss command. Can you help me out?
linux networking bash iproute2
edited Mar 4 '15 at 3:20
JakeGould
31.5k1096138
asked Mar 4 '15 at 1:24
ruanhaoruanhao
13019
add a comment |
I have a problem understanding the output of the Linux ss (socket statistics) command. I can not understand the meaning of the output of ss -s
For example:
[root@dls2304-1 ~]# ss -s
Total: 973 (kernel 996)
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333
Transport Total IP IPv6
* 996 - -
RAW 1 1 0
UDP 157 128 29
TCP 527 512 15
INET 685 641 44
FRAG 0 0 0
My questions:
What does Total: 973 (kernel 996) mean? What is Total and what is kernel? Why Total seems to be smaller than kernel?
In the line TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333, what does the word ports mean?
And this:
Transport Total IP IPv6
* 996 - -
What does the asterisk (*) mean?
They are way over my head. I can not find document about the spec of the output for ss command. Can you help me out?
linux networking bash iproute2
edited Mar 4 '15 at 3:20
JakeGould
31.5k1096138
asked Mar 4 '15 at 1:24
ruanhaoruanhao
13019
I have a problem understanding the output of the Linux ss (socket statistics) command. I can not understand the meaning of the output of ss -s
For example:
[root@dls2304-1 ~]# ss -s
Total: 973 (kernel 996)
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333
Transport Total IP IPv6
* 996 - -
RAW 1 1 0
UDP 157 128 29
TCP 527 512 15
INET 685 641 44
FRAG 0 0 0
My questions:
What does Total: 973 (kernel 996) mean? What is Total and what is kernel? Why Total seems to be smaller than kernel?
In the line TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333, what does the word ports mean?
And this:
Transport Total IP IPv6
* 996 - -
What does the asterisk (*) mean?
They are way over my head. I can not find document about the spec of the output for ss command. Can you help me out?
linux networking bash iproute2
linux networking bash iproute2
edited Mar 4 '15 at 3:20
JakeGould
31.5k1096138
asked Mar 4 '15 at 1:24
ruanhaoruanhao
13019
edited Mar 4 '15 at 3:20
JakeGould
31.5k1096138
asked Mar 4 '15 at 1:24
ruanhaoruanhao
13019
edited Mar 4 '15 at 3:20
JakeGould
31.5k1096138
edited Mar 4 '15 at 3:20
JakeGould
31.5k1096138
edited Mar 4 '15 at 3:20
JakeGould
31.5k1096138
31.5k1096138
asked Mar 4 '15 at 1:24
ruanhaoruanhao
13019
asked Mar 4 '15 at 1:24
ruanhaoruanhao
13019
asked Mar 4 '15 at 1:24
ruanhaoruanhao
13019
13019
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
First, I am going to state explicitly I am really “winging” this answer. I have networking experience a systems administrator, but my networking knowledge is not as deep as most. So hopefully I will get some of this right. And if someone who knows better reads this, please comment or even edit to correct.
When you run the ss (socket statistics) command with the -s flag that shows the socket status. So knowing that:
What does
Total: 973 (kernel 996)mean? What isTotaland what is
kernel? WhyTotalseems to be smaller thankernel?
To my knowledge, system sockets don’t expire right away after use. So to the best of my knowledge the 973 is a reflection of total active sockets minus expired sockets, but the 996 connected to the kernel includes the 23 remaining stray sockets that the kernel has not gotten around to clean up yet. This page on kernel tuning gives a nice overview of the concept of how the kernel deals with sockets and how one can tune a system to better manage sockets on the kernel level.
In the line
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0,, what does the word
timewait 0/0), ports 333portsmean?
The ports 333 just is a tally of all port activity on your system at that specific moment. The 333 matches the sum of estab 280 and closed 73. Specifics about those ports would be summarized below that list. But in the context of sockets that line basically states there are 600 sockets available and of those 600, 333 are in some way associated to ports on the system. For more details on what a socket is versus a port, read this excellent answer on Stack Overflow.
What does the asterisk (
*) mean?
In the context of the example you show:
Transport Total IP IPv6
* 996 - -
See how that 996 the kernel total in Total: 973 (kernel 996)? That * correlates to sockets that are simply open/managed regardless of of their transport layer on the kernel level.
But that said, yes… This is all quite confusing on a novice level.
edited May 23 '17 at 11:33
Community♦
1
answered Mar 4 '15 at 3:46
JakeGouldJakeGould
31.5k1096138
Thank you very much for you explanation and sorry for late respond. After browsing the source code of iptable2, I found you are basically right and you enlightened me a lot. Just a reminder, ports is not always the sum of estab and closed. ports reflects total ports in use right now on the machine, which is read from /proc/slabstat. So ports includes some ports of astray sockets.
– ruanhao
Mar 26 '15 at 9:18
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f885250%2fwhat-does-the-output-of-ss-s-mean%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
First, I am going to state explicitly I am really “winging” this answer. I have networking experience a systems administrator, but my networking knowledge is not as deep as most. So hopefully I will get some of this right. And if someone who knows better reads this, please comment or even edit to correct.
When you run the ss (socket statistics) command with the -s flag that shows the socket status. So knowing that:
What does
Total: 973 (kernel 996)mean? What isTotaland what is
kernel? WhyTotalseems to be smaller thankernel?
To my knowledge, system sockets don’t expire right away after use. So to the best of my knowledge the 973 is a reflection of total active sockets minus expired sockets, but the 996 connected to the kernel includes the 23 remaining stray sockets that the kernel has not gotten around to clean up yet. This page on kernel tuning gives a nice overview of the concept of how the kernel deals with sockets and how one can tune a system to better manage sockets on the kernel level.
In the line
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0,, what does the word
timewait 0/0), ports 333portsmean?
The ports 333 just is a tally of all port activity on your system at that specific moment. The 333 matches the sum of estab 280 and closed 73. Specifics about those ports would be summarized below that list. But in the context of sockets that line basically states there are 600 sockets available and of those 600, 333 are in some way associated to ports on the system. For more details on what a socket is versus a port, read this excellent answer on Stack Overflow.
What does the asterisk (
*) mean?
In the context of the example you show:
Transport Total IP IPv6
* 996 - -
See how that 996 the kernel total in Total: 973 (kernel 996)? That * correlates to sockets that are simply open/managed regardless of of their transport layer on the kernel level.
But that said, yes… This is all quite confusing on a novice level.
edited May 23 '17 at 11:33
Community♦
1
answered Mar 4 '15 at 3:46
JakeGouldJakeGould
31.5k1096138
Thank you very much for you explanation and sorry for late respond. After browsing the source code of iptable2, I found you are basically right and you enlightened me a lot. Just a reminder, ports is not always the sum of estab and closed. ports reflects total ports in use right now on the machine, which is read from /proc/slabstat. So ports includes some ports of astray sockets.
– ruanhao
Mar 26 '15 at 9:18
add a comment |
First, I am going to state explicitly I am really “winging” this answer. I have networking experience a systems administrator, but my networking knowledge is not as deep as most. So hopefully I will get some of this right. And if someone who knows better reads this, please comment or even edit to correct.
When you run the ss (socket statistics) command with the -s flag that shows the socket status. So knowing that:
What does
Total: 973 (kernel 996)mean? What isTotaland what is
kernel? WhyTotalseems to be smaller thankernel?
To my knowledge, system sockets don’t expire right away after use. So to the best of my knowledge the 973 is a reflection of total active sockets minus expired sockets, but the 996 connected to the kernel includes the 23 remaining stray sockets that the kernel has not gotten around to clean up yet. This page on kernel tuning gives a nice overview of the concept of how the kernel deals with sockets and how one can tune a system to better manage sockets on the kernel level.
In the line
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0,, what does the word
timewait 0/0), ports 333portsmean?
The ports 333 just is a tally of all port activity on your system at that specific moment. The 333 matches the sum of estab 280 and closed 73. Specifics about those ports would be summarized below that list. But in the context of sockets that line basically states there are 600 sockets available and of those 600, 333 are in some way associated to ports on the system. For more details on what a socket is versus a port, read this excellent answer on Stack Overflow.
What does the asterisk (
*) mean?
In the context of the example you show:
Transport Total IP IPv6
* 996 - -
See how that 996 the kernel total in Total: 973 (kernel 996)? That * correlates to sockets that are simply open/managed regardless of of their transport layer on the kernel level.
But that said, yes… This is all quite confusing on a novice level.
edited May 23 '17 at 11:33
Community♦
1
answered Mar 4 '15 at 3:46
JakeGouldJakeGould
31.5k1096138
Thank you very much for you explanation and sorry for late respond. After browsing the source code of iptable2, I found you are basically right and you enlightened me a lot. Just a reminder, ports is not always the sum of estab and closed. ports reflects total ports in use right now on the machine, which is read from /proc/slabstat. So ports includes some ports of astray sockets.
– ruanhao
Mar 26 '15 at 9:18
add a comment |
First, I am going to state explicitly I am really “winging” this answer. I have networking experience a systems administrator, but my networking knowledge is not as deep as most. So hopefully I will get some of this right. And if someone who knows better reads this, please comment or even edit to correct.
When you run the ss (socket statistics) command with the -s flag that shows the socket status. So knowing that:
What does
Total: 973 (kernel 996)mean? What isTotaland what is
kernel? WhyTotalseems to be smaller thankernel?
To my knowledge, system sockets don’t expire right away after use. So to the best of my knowledge the 973 is a reflection of total active sockets minus expired sockets, but the 996 connected to the kernel includes the 23 remaining stray sockets that the kernel has not gotten around to clean up yet. This page on kernel tuning gives a nice overview of the concept of how the kernel deals with sockets and how one can tune a system to better manage sockets on the kernel level.
In the line
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0,, what does the word
timewait 0/0), ports 333portsmean?
The ports 333 just is a tally of all port activity on your system at that specific moment. The 333 matches the sum of estab 280 and closed 73. Specifics about those ports would be summarized below that list. But in the context of sockets that line basically states there are 600 sockets available and of those 600, 333 are in some way associated to ports on the system. For more details on what a socket is versus a port, read this excellent answer on Stack Overflow.
What does the asterisk (
*) mean?
In the context of the example you show:
Transport Total IP IPv6
* 996 - -
See how that 996 the kernel total in Total: 973 (kernel 996)? That * correlates to sockets that are simply open/managed regardless of of their transport layer on the kernel level.
But that said, yes… This is all quite confusing on a novice level.
edited May 23 '17 at 11:33
Community♦
1
answered Mar 4 '15 at 3:46
JakeGouldJakeGould
31.5k1096138
First, I am going to state explicitly I am really “winging” this answer. I have networking experience a systems administrator, but my networking knowledge is not as deep as most. So hopefully I will get some of this right. And if someone who knows better reads this, please comment or even edit to correct.
When you run the ss (socket statistics) command with the -s flag that shows the socket status. So knowing that:
What does
Total: 973 (kernel 996)mean? What isTotaland what is
kernel? WhyTotalseems to be smaller thankernel?
To my knowledge, system sockets don’t expire right away after use. So to the best of my knowledge the 973 is a reflection of total active sockets minus expired sockets, but the 996 connected to the kernel includes the 23 remaining stray sockets that the kernel has not gotten around to clean up yet. This page on kernel tuning gives a nice overview of the concept of how the kernel deals with sockets and how one can tune a system to better manage sockets on the kernel level.
In the line
TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0,, what does the word
timewait 0/0), ports 333portsmean?
The ports 333 just is a tally of all port activity on your system at that specific moment. The 333 matches the sum of estab 280 and closed 73. Specifics about those ports would be summarized below that list. But in the context of sockets that line basically states there are 600 sockets available and of those 600, 333 are in some way associated to ports on the system. For more details on what a socket is versus a port, read this excellent answer on Stack Overflow.
What does the asterisk (
*) mean?
In the context of the example you show:
Transport Total IP IPv6
* 996 - -
See how that 996 the kernel total in Total: 973 (kernel 996)? That * correlates to sockets that are simply open/managed regardless of of their transport layer on the kernel level.
But that said, yes… This is all quite confusing on a novice level.
edited May 23 '17 at 11:33
Community♦
1
answered Mar 4 '15 at 3:46
JakeGouldJakeGould
31.5k1096138
edited May 23 '17 at 11:33
Community♦
1
edited May 23 '17 at 11:33
Community♦
1
edited May 23 '17 at 11:33
Community♦
1
1
answered Mar 4 '15 at 3:46
JakeGouldJakeGould
31.5k1096138
answered Mar 4 '15 at 3:46
JakeGouldJakeGould
31.5k1096138
answered Mar 4 '15 at 3:46
JakeGouldJakeGould
31.5k1096138
31.5k1096138
Thank you very much for you explanation and sorry for late respond. After browsing the source code of iptable2, I found you are basically right and you enlightened me a lot. Just a reminder, ports is not always the sum of estab and closed. ports reflects total ports in use right now on the machine, which is read from /proc/slabstat. So ports includes some ports of astray sockets.
– ruanhao
Mar 26 '15 at 9:18
add a comment |
Thank you very much for you explanation and sorry for late respond. After browsing the source code of iptable2, I found you are basically right and you enlightened me a lot. Just a reminder, ports is not always the sum of estab and closed. ports reflects total ports in use right now on the machine, which is read from /proc/slabstat. So ports includes some ports of astray sockets.
– ruanhao
Mar 26 '15 at 9:18
Thank you very much for you explanation and sorry for late respond. After browsing the source code of iptable2, I found you are basically right and you enlightened me a lot. Just a reminder, ports is not always the sum of estab and closed. ports reflects total ports in use right now on the machine, which is read from /proc/slabstat. So ports includes some ports of astray sockets.
– ruanhao
Mar 26 '15 at 9:18
Thank you very much for you explanation and sorry for late respond. After browsing the source code of iptable2, I found you are basically right and you enlightened me a lot. Just a reminder, ports is not always the sum of estab and closed. ports reflects total ports in use right now on the machine, which is read from /proc/slabstat. So ports includes some ports of astray sockets.
– ruanhao
Mar 26 '15 at 9:18
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f885250%2fwhat-does-the-output-of-ss-s-mean%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
