I'm learning to investigate my socket statistics so I do.. sudo ss -tulerp I get the following in the output.. Failed to open cgroup2 by ID Failed to open cgroup2 by ID Failed to open cgroup2 by ID Failed to open cgroup2 by ID Failed to open cgroup2 by ID Failed to open cgroup2 by ID udp UNCONN 0 0 0.0.0.0:rpc.nlockmgr 0.0.0.0:* ino:9653 sk:379 cgroup:unreachable:1696 udp UNCONN 0 0 [::]:34245 [::]:* ino:14892 sk:387 cgroup:unreachable:1696 v6only:1 tcp LISTEN 0 64 0.0.0.0:rpc.nfs 0.0.0.0:* ino:7020 sk:395 cgroup:unreachable:1696 tcp LISTEN 0 64 0.0.0.0:rpc.nlockmgr 0.0.0.0:* ino:9654 sk:398 cgroup:unreachable:1696 tcp LISTEN 0 64 [::]:rpc.nfs [::]:* ino:9648 sk:39c cgroup:unreachable:1696 v6only:1 tcp LISTEN 0 64 [::]:34827 [::]:* ino:3924 sk:39d cgroup:unreachable:1696 v6only:1 I try to close port 34827 with.. sudo ss -K dport = 34827 but it just fails silently. I assume each "Failed to open cgroup2 by ID" corresponds to one of the "cgroup:unreachable" entries. What is happening? And how do I resolve this? This is on Ubuntu 22.04 in case it is relevant.

I've measured ss --tcp --numeric --no-header --kill dst 1.2.3.0/24 on various machines (all running Ubuntu Server 22 or 24 LTS) and it consistently needs around 7-10ms to complete. Any idea where the bottleneck is or if there is a way to make it complete faster?

When I use ss (socket statistics) to show the usages of port 5432 I get:

$ sudo ss -ln | grep -E 'State|5432'
Netid State  Recv-Q Send-Q                     Local Address:Port    Peer Address:PortProcess
u_str LISTEN 0      244    /var/run/postgresql/.s.PGSQL.5432 54481              * 0
tcp   LISTEN 0      244                            127.0.0.1:5432         0.0.0.0:*

When using lsof (list of open files) instead I get no result:

$ sudo lsof -i tcp:5432

Why is that? Related to: - https://unix.stackexchange.com/q/652556/87249 - [Difference between lsof -i : & socket statistics ss -lp | grep ?](https://stackoverflow.com/q/77685954/334569) **Edit with answers from comments:** - sudo ss -lnp does not show the pid of the process(es) that have that listening socket - the 127.0.0.1:5432 0.0.0.0:* on the last line was a copy-paste error, sorry about that, I have removed it - I am running those commands in a WSL terminal, Postgres is not running anywhere **Edit with new findings:** I have found out this is happening only when Docker Desktop is running (even though there is no container running): ss doesn't output anything once I quit Docker Desktop. It looks like this might be an issue somehow related with Docker Desktop: I have reported it in this GitHub issue.

When trying to see port clashes within my system, many websites online recommend using **/etc/services** or **ss -tunl** to see port info I am noticing **/etc/services** is providing different information to **-ss** on most occasions. Output comparison examples sudo cat /etc/services ftp 21/udp ftp 21/sctp ssh 22/tcp ssh 22/udp ssh 22/sctp telnet 23/tcp telnet 23/udp smtp 25/tcp versus ss -tunl Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:46670 0.0.0.0:* udp UNCONN 0 0 [::]:5353 [::]:* udp UNCONN 0 0 [::]:38838 [::]:* Is **/etc/services** a static data file and should only be used as a guide, not an true reflection of what the real port configuration of the system is. Where does **ss** program gather this port data, and how can I modify/delete some of the ports, either through **ss** or another program?

System: - Ubuntu 20.04.06 - net-tools 2.10-alpha - grep (GNU grep) 3.4 If I run netstat without sudo I see port information and no process information. This is expected as process information requires elevated privileges.

$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:43445         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:41933         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:42649         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:46059         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:45983         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5001            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5433            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:34903         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:37257         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:37081         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:38445         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:38335         0.0.0.0:*               LISTEN      -
tcp6       0      0 ::1:3350                :::*                    LISTEN      -
tcp6       0      0 ::1:631                 :::*                    LISTEN      -
tcp6       0      0 :::2377                 :::*                    LISTEN      -
tcp6       0      0 :::3389                 :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::25                   :::*                    LISTEN      -
tcp6       0      0 :::111                  :::*                    LISTEN      -
tcp6       0      0 :::443                  :::*                    LISTEN      -
tcp6       0      0 :::7946                 :::*                    LISTEN      -
tcp6       0      0 :::5001                 :::*                    LISTEN      -
tcp6       0      0 :::5433                 :::*                    LISTEN      -
tcp6       0      0 :::5432                 :::*                    LISTEN      -
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -
udp        0      0 0.0.0.0:631             0.0.0.0:*                           -
udp        0      0 0.0.0.0:4789            0.0.0.0:*                           -
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -
udp        0      0 0.0.0.0:43294           0.0.0.0:*                           -
udp6       0      0 :::52206                :::*                                -
udp6       0      0 :::111                  :::*                                -
udp6       0      0 :::5353                 :::*                                -
udp6       0      0 :::7946                 :::*                                -

But if I try to send that output to grep I get an error that I need sudo priv. Why? None of the process information was shown on stdout, why would grep change that?

$ netstat -tulpn | grep 8080
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

**TROUBLESHOOTING:** - This does not happen if I dont include -p (i.e. netstat -tuln | grep 8080) - This does not happen if I use smaller grep string (i.e. netstat -tulpn | grep 8) - Using ss does not show the same problem (i.e. ss -tulpn | grep 8080) What is going on here? Note: Yes I know netstat is deprecated and I should use ss instead, I am just curious why this behavior is happening.

In linux we can run ss -x or lsof -U +E and we can see what type unix socket has. But in macOS there is no ss or we can run lsof -U which only shows TYPE - unix, but I would like to know with some utility what exactly so_type a unix socket has.

Hi I feel like this is an obvious question but I haven't been able to get a good answer so far. Given the name of the service (which I know running on localhost) is there any networking command line tool like (netstat/ss) which will tell me what port that service is running at? Ideally something like:

$ some-program --service-name='mysql' localhost
'mysql' is running at localhost:3306

I feel like there are solutions out there but non of them address it adequately. For example I have considered the following two ss commands: 1. ss -tuln with output:

Netid   State    Recv-Q   Send-Q       Local Address:Port        Peer Address:Port   Process
udp     UNCONN   0        0            127.0.0.53%lo:53               0.0.0.0:*
udp     UNCONN   0        0                  0.0.0.0:21119            0.0.0.0:*
udp     UNCONN   0        0                  0.0.0.0:37766            0.0.0.0:*
udp     UNCONN   0        0                  0.0.0.0:54399            0.0.0.0:*
udp     UNCONN   0        0                  0.0.0.0:5353             0.0.0.0:*
udp     UNCONN   0        0                     [::]:51755               [::]:*
udp     UNCONN   0        0                     [::]:5353                [::]:*
udp     UNCONN   0        0                        *:1716                   *:*
tcp     LISTEN   0        100              127.0.0.1:25               0.0.0.0:*
tcp     LISTEN   0        70               127.0.0.1:33060            0.0.0.0:*
tcp     LISTEN   0        64                 0.0.0.0:59687            0.0.0.0:*
tcp     LISTEN   0        151              127.0.0.1:3306             0.0.0.0:*

and 2. ss -tul with output:

Netid   State    Recv-Q   Send-Q      Local Address:Port         Peer Address:Port   Process
udp     UNCONN   0        0                 0.0.0.0:36308             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:36570             0.0.0.0:*
udp     UNCONN   0        0           127.0.0.53%lo:domain            0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:41124             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:21119             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:37766             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:54399             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:mdns              0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:54522             0.0.0.0:*
udp     UNCONN   0        0                    [::]:51755                [::]:*
udp     UNCONN   0        0                    [::]:mdns                 [::]:*
udp     UNCONN   0        0                       *:1716                    *:*
tcp     LISTEN   0        100             127.0.0.1:smtp              0.0.0.0:*
tcp     LISTEN   0        70              127.0.0.1:33060             0.0.0.0:*
tcp     LISTEN   0        64                0.0.0.0:59687             0.0.0.0:*
tcp     LISTEN   0        151             127.0.0.1:mysql             0.0.0.0:*

The first command's output lists the port numbers that are listening while the second command's output is able to resolve them to the services running at the ports. But I can't somehow "combine" the two outputs where I can have the port number mapped to the service running, side by side. For example the rows:

tcp     LISTEN   0        151             127.0.0.1:mysql             0.0.0.0:*

and

tcp     LISTEN   0        151              127.0.0.1:3306             0.0.0.0:*

would be "combined" to give "127.0.0.1:3306 (mysql)" or something to that effect. I only know the above mapping because I googled what the default MySQL port is. Is there a way to do this? It must be said that I am only learning to use these networking tools so any guidance is much appreciated.

I run this command ss -tulpnoea|grep -i water|grep -v 127 Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount ..... I tried with 2> /dev/null... ss -tulpnoea|grep -i water|grep -v 127 2> /dev/null Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount Failed to find cgroup2 mount ..... How to avoid the annoying message about cgroup2 mount? Distro is Slackware 15.0

I run a python code inside docker container performing the following calls

import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);
s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",9001));s1.listen(1);c,a=s1.accept();

I'm trying to get info using ss and see the open sockets, but can't get them

docker run --rm --publish 9001:9001 -it --name python-app sample-python-app reverseshell.py

docker inspect --format='{{.State.Pid}}' python-app
1160502

> sudo ss -a -np | grep 9001 
tcp   LISTEN    0      4096                                                                              0.0.0.0:9001                0.0.0.0:*        users:(("docker-proxy",pid=1160459,fd=4))                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
tcp   LISTEN    0      4096                                                                                 [::]:9001                   [::]:*        users:(("docker-proxy",pid=1160467,fd=4))

however lsof gives me more info:

> sudo lsof -p 1160502       
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
lsof: WARNING: can't stat() fuse.portal file system /run/user/1000/doc
      Output information may be incomplete.
COMMAND     PID   USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
python  1160502 dmitry  cwd    DIR 0,1364      108    19497 /workspace
python  1160502 dmitry  rtd    DIR 0,1364      188      256 /
python  1160502 dmitry  txt    REG 0,1364     6120     6529 /layers/paketo-buildpacks_cpython/cpython/bin/python3.10
python  1160502 dmitry  mem    REG   0,30              6529 /layers/paketo-buildpacks_cpython/cpython/bin/python3.10 (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              9492 /layers/paketo-buildpacks_cpython/cpython/lib/python3.10/lib-dynload/_posixsubprocess.cpython-310-x86_64-linux-gnu.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              9518 /layers/paketo-buildpacks_cpython/cpython/lib/python3.10/lib-dynload/fcntl.cpython-310-x86_64-linux-gnu.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              9514 /layers/paketo-buildpacks_cpython/cpython/lib/python3.10/lib-dynload/array.cpython-310-x86_64-linux-gnu.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              9527 /layers/paketo-buildpacks_cpython/cpython/lib/python3.10/lib-dynload/select.cpython-310-x86_64-linux-gnu.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              9520 /layers/paketo-buildpacks_cpython/cpython/lib/python3.10/lib-dynload/math.cpython-310-x86_64-linux-gnu.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              9499 /layers/paketo-buildpacks_cpython/cpython/lib/python3.10/lib-dynload/_socket.cpython-310-x86_64-linux-gnu.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30               634 /lib/x86_64-linux-gnu/libm-2.27.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30               692 /lib/x86_64-linux-gnu/libutil-2.27.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30               619 /lib/x86_64-linux-gnu/libdl-2.27.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30               670 /lib/x86_64-linux-gnu/libpthread-2.27.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30               609 /lib/x86_64-linux-gnu/libc-2.27.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              6705 /layers/paketo-buildpacks_cpython/cpython/lib/libpython3.10.so.1.0 (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30               591 /lib/x86_64-linux-gnu/ld-2.27.so (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              3735 /usr/lib/locale/locale-archive (path dev=0,32, inode=1544914)
python  1160502 dmitry  mem    REG   0,30              1365 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache (stat: No such file or directory)
python  1160502 dmitry  mem    REG   0,30              1091 /usr/lib/locale/C.UTF-8/LC_CTYPE (stat: No such file or directory)
python  1160502 dmitry    0u   CHR  136,0      0t0        3 /dev/pts/0
python  1160502 dmitry    1u   CHR  136,0      0t0        3 /dev/pts/0
python  1160502 dmitry    2u   CHR  136,0      0t0        3 /dev/pts/0
python  1160502 dmitry    3u  sock    0,8      0t0 75159952 protocol: TCP

at least I have this line showing that fd=3 opens socket but without actual port number.

python  1160502 dmitry    3u  sock    0,8      0t0 75159952 protocol: TCP

so how to find with ss information about open socket over port 9001 that is not docker-proxy?

On a client I see the following: [root@redacted_local ~]# ss | grep -i syn SYN-SENT 0 1 redacted_local_ip:792 redacted_server_ip:nfs This status has remained the same. I'm unable to actually track port 792/SYN_SENT statuses to a PID: [root@redacted_local ~]# netstat -pnt | grep -i syn tcp 0 1 redacted_local_ip:792 redacted_server_ip:2049 SYN_SENT - How can I tell what is actually holding this port open and what PID exists that needs to be killed? The client is using autofs to go to the NFS server and mount user directories, such that when a user logs into the client, they will have their home directory mounted from the NFS server. Is something even "stuck" in the first place that can be killed?

For the first time in my life, I am unable to figure out what process is listening on a specific port in Linux :) This is an Ubuntu Server 22.04 installation, running K8s. There is an ingress controller in the cluster that is binding to ports 80 and 443, and I know this works because:

:~# curl localhost

404 Not Found

404 Not Found
nginx



:~# curl localhost:443

400 The plain HTTP request was sent to HTTPS port

400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx



~# curl https://localhost:443 -k

404 Not Found

404 Not Found
nginx

The problem is that I cannot figure out what process binds to those ports, and how. I did try using ss, but nothing shows up:

:~# ss -tlnpu | grep 80
tcp   LISTEN 0      4096          192.168.13.191:2380       0.0.0.0:*    users:(("etcd",pid=1452,fd=8))           
tcp   LISTEN 0      4096               127.0.0.1:2380       0.0.0.0:*    users:(("etcd",pid=1452,fd=7))           

:~# ss -tlnpu | grep 443
tcp   LISTEN 0      4096                       *:6443             *:*    users:(("kube-apiserver",pid=1546,fd=7))

How can I figure out the actual process that is listening on the ports?

I am trying to see if tcp port 80 is open on a debian 11 server. I logged into it using SSH and did curl -v telnet://localhost:80. It says connection refused. If I do the same with port 22, it shows that I am connected to SSH service. Machine doesn't have telnet or netstat installed locally. It has ss and nc The IP of the interface is 10.31.45.82 and the output of sudo ss -antp is: Proto State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 32 10.31.45.82:80 0.0.0.0:* users:(("openvpn",pid=709,fd=7)) curl -v telnet://10.31.45.82:80 is showing connection refused. Same with nc 10.31.45.82 80 I am not sure what is blocking the port. IP tables input chain has policy ACCEPT so that's not blocking the port. Any ideas? I am confused as to why localhost port 80 is showing as refused. Can an external firewall block telnet on localhost? I used nc localhost 22 and it's connecting to SSH and it shows ESTAB in ss -antp. But nc localhost 80 is showing connection refused. sudo iptables-save -c output:

*filter
:INPUT ACCEPT [4958147:1463832998]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4920575:611816160]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[185417:9902718] -A FORWARD -j DOCKER-USER
[185417:9902718] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[184273:9850974] -A FORWARD -o br-55d0dcfbc5d8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[256:13280] -A FORWARD -o br-55d0dcfbc5d8 -j DOCKER
[888:38464] -A FORWARD -i br-55d0dcfbc5d8 ! -o br-55d0dcfbc5d8 -j ACCEPT
[4:240] -A FORWARD -i br-55d0dcfbc5d8 -o br-55d0dcfbc5d8 -j ACCEPT
[4:176] -A DOCKER -d 172.22.0.3/32 ! -i br-55d0dcfbc5d8 -o br-55d0dcfbc5d8 -p tcp -m tcp --dport 9001 -j ACCEPT
[248:12864] -A DOCKER -d 172.10.0.3/32 ! -i br-55d0dcfbc5d8 -o br-55d0dcfbc5d8 -p tcp -m tcp --dport 1883 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[888:38464] -A DOCKER-ISOLATION-STAGE-1 -i br-55d0dcfbc5d8 ! -o br-55d0dcfbc5d8 -j DOCKER-ISOLATION-STAGE-2
[185417:9902718] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-55d0dcfbc5d8 -j DROP
[888:38464] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[185417:9902718] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Aug 13 16:58:44 2022
# Generated by iptables-save v1.8.7 on Sat Aug 13 16:58:44 2022
*nat
:PREROUTING ACCEPT [43383:2953292]
:INPUT ACCEPT [43379:2953052]
:OUTPUT ACCEPT [137397:7281952]
:POSTROUTING ACCEPT [137648:7294828]
:DOCKER - [0:0]
[0:0] -A PREROUTING -d 10.31.45.83/32 -p udp -m udp --dport 80 -j REDIRECT --to-ports 123
[39282:2267543] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[8:448] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[6:456] -A POSTROUTING -s 172.22.0.0/16 ! -o br-55d0dcfbc5d8 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.22.0.3/32 -d 172.22.0.3/32 -p tcp -m tcp --dport 9001 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.22.0.3/32 -d 172.22.0.3/32 -p tcp -m tcp --dport 1883 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-55d0dcfbc5d8 -j RETURN
[5:228] -A DOCKER ! -i br-55d0dcfbc5d8 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.22.0.3:9001
[248:12864] -A DOCKER ! -i br-55d0dcfbc5d8 -p tcp -m tcp --dport 1883 -j DNAT --to-destination 172.22.0.3:1883
COMMIT

And nftables not installed: -bash: nftables: command not found

Since this is the socket that syslog's /dev/log is symlinked to, I expect there is at least one listening socket from systemd-journald, and possibly some additional connected ones, with different "port" numbers. /run/systemd/journal/stdout does just that. Listening socket: # ss -xpl | grep stdout u_str LISTEN 0 4096 /run/systemd/journal/stdout 15240 * 0 users:(("systemd-journal",pid=254,fd=5),("systemd",pid=1,fd=38)) Connected pair example: # ss -xp | grep 19637 u_str ESTAB 0 0 * 20872 * 19637 users:(("dbus-daemon",pid=701,fd=2),("dbus-daemon",pid=701,fd=1)) u_str ESTAB 0 0 /run/systemd/journal/stdout 19637 * 20872 users:(("systemd-journal",pid=254,fd=73),("systemd",pid=1,fd=78)) However for dev-log, it seems that there is no listening socket. A single socket("port"=15236) from systemd-journald is connected to multiple peers, and then in its own record, the socket is shown as ESTAB, with the peer "port" shown as 0. How is that possible? Does the unix socket operates fundamentally different in that aspect compared to a tcp one? Maybe I should ask, what does a port number in ss output mean for a unix domain socket? # ss -xpl | grep dev-log # ss -xp | grep dev-log u_dgr ESTAB 0 0 /run/systemd/journal/dev-log 15236 * 0 users:(("systemd-journal",pid=254,fd=3),("systemd",pid=1,fd=36)) # ss -xp | grep 15236 u_dgr ESTAB 0 0 /run/systemd/journal/dev-log 15236 * 0 users:(("systemd-journal",pid=254,fd=3),("systemd",pid=1,fd=36)) u_dgr ESTAB 0 0 * 19250 * 15236 users:(("dbus-daemon",pid=369,fd=14)) u_dgr ESTAB 0 0 * 101364 * 15236 users:(("su",pid=4448,fd=3)) u_dgr ESTAB 0 0 * 22068 * 15236 users:(("gdm",pid=373,fd=13)) u_dgr ESTAB 0 0 * 20801 * 15236 users:(("(sd-pam",pid=692,fd=8)) u_dgr ESTAB 0 0 * 21686 * 15236 users:(("dbus-daemon",pid=701,fd=10)) u_dgr ESTAB 0 0 * 19589 * 15236 users:(("gdm-session-wor",pid=680,fd=9)) u_dgr ESTAB 0 0 * 104580 * 15236 users:(("sudo",pid=4447,fd=8)) u_dgr ESTAB 0 0 * 14305 * 15236 users:(("polkitd",pid=450,fd=10)) u_dgr ESTAB 0 0 * 23001 * 15236 users:(("gnome-session-b",pid=727,fd=17))

The following command can be used to find out which process is listening on a particular port: netstat -ltnp | grep -w ':8011' How can we do the opposite, find the port number according to PID number?

I have two services listening on TCP/IPv6 sockets, ssh and mysql. ss shows this:

$ ss -tl6
State     Recv-Q    Send-Q    Local Address:Port    Peer Address:Port               
LISTEN    0         128       [::]:ssh              [::]:*                     
LISTEN    0         80        *:mysql               *:*

Why is the "Local Address" and "Peer Address" displayed differently for ssh and mysql? I.e. what if anything is the meaning behind "[::]" vs "*"? Note netstat shows no difference ("::" for both):

sudo netstat -natlp6
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address  Foreign Address  State      PID/Program name    
tcp6       0      0 :::22          :::*             LISTEN     26240/sshd          
tcp6       0      0 :::3306        :::*             LISTEN     23933/mysqld

--- **UPDATE** As @Amir pointed to in comments, there is actually a difference between the two services: sshd has two open sockets one for ipv4 only and one for ipv6, where as mysqld only has one ipv6 socket:

$ pgrep mysqld
23933
$ pgrep sshd
26240
$ sudo lsof -a -p 23933 -i
COMMAND   PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
mysqld  23933 mysql   27u  IPv6 6062236      0t0  TCP *:mysql (LISTEN)
$ sudo lsof -a -p 26240 -i
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd    26240 root    3u  IPv4 6106855      0t0  TCP *:ssh (LISTEN)
sshd    26240 root    4u  IPv6 6106857      0t0  TCP *:ssh (LISTEN)

I disabled ipv4 in SSH config and ss still displays the two differently, but it maybe different type of ipv6 / ipv4 support as @Amir mentioned?

I want to see the state "syn_sent" of socket in realtime during the connection process ss or netstat or any command I have tried those commands, but all fail watch netstat -tnaop|grep -i syn ss -4 state syn

I know lsof and ss provide metadata about connections. Where do they get it from? For example, this represents a connection:

ls -al /proc/102922/fd/98
lrwx------ 1 me me 64 dic 21 06:06 /proc/102922/fd/74 -> 'socket:'

With ss I can see more info:

tcp   ESTAB      0      0                192.168.68.108:33966      198.252.206.25:https  users:(("chrome",pid=102922,fd=98)) cubic wscale:9,7 rto:296 rtt:92.785/24.455 ato:40 mss:1448 pmtu:1500 rcvmss:536 advmss:1448 cwnd:10 bytes_sent:1463 bytes_acked:1464 bytes_received:336 segs_out:11 segs_in:7 data_segs_out:6 data_segs_in:2 send 1.25Mbps lastsnd:71284 lastrcv:71292 lastack:26068 pacing_rate 2.5Mbps delivery_rate 271kbps delivered:7 app_limited busy:308ms rcv_space:14480 rcv_ssthresh:64088 minrtt:86.996

But, assume the system my app is running on does not have ss for some reason. How can I go from socket: to the tcp stats that ss provides? I don't intend to fully rewrite ss :) but I'm curious about what exists in the filesystem.

With ss -tuiOp we can view extended stats for an outbound process, e.g.:

tcp           ESTAB         0              0                                192.168.68.108:32862                     52.86.220.33:https     
 users:(("chrome",pid=13907,fd=44)) cubic wscale:12,7 rto:292 rtt:91.131/1.147 ato:40 mss:1288 pmtu:1500 rcvmss:1288 advmss:1448 cwnd:10 bytes_sent:25761 bytes_retrans:108 bytes_acked:25654 bytes_received:136601 segs_out:1010 segs_in:630 data_segs_out:407 data_segs_in:522 send 1.13Mbps lastsnd:2184 lastrcv:2092 lastack:2092 pacing_rate 2.26Mbps delivery_rate 339kbps delivered:408 app_limited busy:36036ms retrans:0/2 dsack_dups:2 rcv_rtt:33522.9 rcv_space:67624 rcv_ssthresh:225644 minrtt:82.525

However, this isn't viewable for listening ports using ss -tuiOpl:

tcp         LISTEN       0            64                                                     *:sip                                  *:*           users:(("linphone",pid=13355,fd=39)) cubic cwnd:10

Is there a way to get similar stats for listening ports? I'm particularly interested in bytes_sent, bytes_received, lastrcv.

When using ss with -p option, user/pid/fd column jumps underneath the particular line. For instance this is it what I'm actually seeing: # ss -nulp4 State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:20000 *:* users:(("perl",pid=9316,fd=6)) UNCONN 0 0 *:10000 *:* users:(("perl",pid=9277,fd=6)) UNCONN 0 0 192.168.100.10:53 *:* users:(("named",pid=95,fd=517),("named",pid=95,fd=516)) UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=95,fd=515),("named",pid=95,fd=514)) **Preferred output formatting**: # ss -nulp4 State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:20000 *:* users:(("perl",pid=9316,fd=6)) UNCONN 0 0 *:10000 *:* users:(("perl",pid=9277,fd=6)) UNCONN 0 0 192.168.100.10:53 *:* users:(("named",pid=95,fd=517),("named",pid=95,fd=516)) UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=95,fd=515),("named",pid=95,fd=514)) To confirm that there are no line breaks I've tried this: # ss -nulp4 | cat -A State Recv-Q Send-Q Local Address:Port Peer Address:Port $ UNCONN 0 0 *:20000 *:* users:(("perl",pid=9316,fd=6))$ UNCONN 0 0 *:10000 *:* users:(("perl",pid=9277,fd=6))$ UNCONN 0 0 192.168.100.10:53 *:* users:(("named",pid=95,fd=517),("named",pid=95,fd=516))$ UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=95,fd=515),("named",pid=95,fd=514))$ And indeed you can see that there were none, but now, strangely enough, output format is the way I've wanted it to be. Could someone explain what's going on here? How can I achieve my preferred formatting? This is the only thing stopping me from migrating from netstat to ss.

I'd like to be able to run ss and filter on PID=$(pgrep emacs) and FDs=(5u|6u|8u). Does ss support filtering on either (or both) of these? Or is the best option to compose with grep? I'm currently using lsof, but I'd prefer to use ss:

lsof -p $(pgrep emacs) | rg '\b(5|6|8)u\b'