= Replacing netstat sockets using ss
:author: der.hans - https://www.LuftHans.com/talks/
:copyright: 2019 der.hans --- CC BY-SA 4.0 unported
:date: 2019Aug08
:max-width: 60em
:website: https://www.LuftHans.com/talks/
:imagesdir: images
:source-highlighter: pygments
:data-uri:


////
Abstract

----
Netstat  prints  information about the Linux networking subsystem.
----

goto tool net info tool since the beginning of EPOCH

obsolete for years

ss replaces netstat's socket capabilities
////

== socket to me

image::PLUG-banner2-variation2-25th_anniv-v32.png[PLUG_25th_anniversary_banner__image_height_100_]

Replacing netstat sockets using ss +
PLUG +
2019Aug08 +
der.hans +
https://floss.social/@FLOX_advocate +
https://mastodon.social/@lufthans


== about netstat

.from netstat(8), obsolete
----
       This  program  is  mostly  obsolete.   Replacement  for  netstat is ss.
       Replacement for netstat -r is ip route.  Replacement for netstat -i  is
       ip -s link.  Replacement for netstat -g is ip maddr.
----

.from netstat(8), what it does
----
       netstat  - Print network connections, routing tables, interface statis-
       tics, masquerade connections, and multicast memberships
----

== netstat socket tools

=== netstat

.from netstat(8), default to sockets
----
       By  default,  netstat  displays  a  list of open sockets.  If you don't
       specify any address families, then the active sockets of all configured
       address families will be printed.
----

polls /proc

=== ss

displays socket information

faster with more capabilities

queries kernel space

== ss packages

part of iproute2 package in debian-based distributions

part of iproute-2 package in debian-based distributions

probably installed by default

== HINT

`ss` != `ssh`


== socket types

* TCP sockets
* UDP sockets
* Unix domain sockets
* RAW sockets
* DCCP sockets - https://www.anmolsarma.in/post/dccp/[the socket type you probably never heard of]
* PACKET sockets
* SELinux contexts
* more

== bare ss

----
ss
----

.ss(8)
----
 When no option is used ss displays a list of open non-listening sockets
       (e.g. TCP/UNIX/UDP) that have established connection.
----

== summary

----
ss -s
----

== listening services

----
ss -l
----

== TCP sockets

----
ss -t
----

== listening TCP services without name resolution

----
ss -tln
----

== listening UDP services without name resolution

----
ss -uln
----

== listening TCP ports including process info if accessible

----
ss -tlnp
----

== listening TCP ports including process info

----
sudo ss -tlnp
----

== all listening and connected TCP ports

----
ss -ant
----

== talking to your SSH server

----
ss -tn sport = :22
----

== established SSH connections

----
ss -to state established '( dport = :ssh or sport = :ssh )'
----

----
ss -tn '( dport = :ssh or sport = :ssh )'
----

== searchable states

* established
* syn-sent
* syn-recv
* fin-wait-1
* fin-wait-2
* time-wait
* closed
* close-wait
* last-ack
* listen
* closing
* all: all of the above states
* connected: all states except for listen and closed
* synchronized: all connected states except for syn-sent
* bucket: show states maintained as minisockets, i.e. time-wait and syn-recv
* big: opposite to bucket state

== established remote web connections

----
ss -o state established '( dport = :https or dport = :http )'
----

----
ss -nt '( dst :443 or dst :80 )'
----

----
ss -nt dst :443 or dst :80
----

== server side

.show TCP sockets in FIN-WAIT-1 TCP connected to your web server from internal network
----
ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 192.168/16
----

== all SSH connections?

----
ss -tan '( dport = :ssh or sport = :ssh )'
----

== verifying the SSH tunnel

----
$ ss -to state established dport = :2222
Recv-Q    Send-Q            Local Address:Port            Peer Address:Port     
0         0                     127.0.0.1:53145              127.0.0.1:2222      timer:(keepalive,41min,0)
----

----
$ ss -tp sport = :53145
State   Recv-Q    Send-Q        Local Address:Port         Peer Address:Port    
ESTAB   0         0                 127.0.0.1:53145           127.0.0.1:2222     users:(("ssh",pid=16984,fd=3)
----

----
lufthans 16984  0.0  0.0  53468  5884 pts/1    S+   21:12   0:00 ssh -p 2222 localhost
----

== connections per network

.remote ports
----
ss dst $cidr:$port
----

.local ports
----
ss src $cidr:$port
----

.example
----
$ ss dst 192.168/16:22
Netid State  Recv-Q   Send-Q       Local Address:Port        Peer Address:Port  
tcp   ESTAB  0        0           192.168.1.4:48538     192.168.1.14:ssh   
tcp   ESTAB  0        0           192.168.1.4:35830     192.168.1.15:ssh
----

== port ranges

.why 1023?
----
ss -tn dport \> :1023
----

== IPv4 and IPv6

----
ss -tln -4
----

----
ss -tln -6
----

== what's talking to X?

----
ss -x src /tmp/.X11-unix/*
----

== count of TCP connections

----
ss -tn | wc -l
----

== count of all connections

----
ss -an | wc -l
----

//        -N NSNAME, --net=NSNAME
//               Switch to the specified network namespace name.


== Resources

* netstat(8)

* ss(8)

* https://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html[good walkthrough socket info gathering]

* http://www.binarytides.com/linux-ss-command/[more good ss examples]

* https://www.LuftHans.com/talks/ - my presentations

== Thank you!

* FLOX Advocate
** https://floss.social/@FLOX_advocate
* Mastodon
** https://mastodon.social/@lufthans
* IRC
** LuftHans on Freenode, usually in #LOPSA and #PLUGaz
* https://www.LuftHans.com/talks/ - my presentations