How to Use the Command 'sockstat' (with Examples)

How to Use the Command 'sockstat' (with Examples)

The sockstat command is an incredibly useful utility for system administrators and developers, particularly those working within FreeBSD environments. It provides a summary of all open Internet or UNIX domain sockets, allowing users to see which ports are active, which users and processes are associated with them, and much more. This can be critical for troubleshooting network services, managing system resources, and ensuring system security. Below, we’ll explore several use cases for the sockstat command, illustrating its versatility and power.

Use Case 1: View Which Users/Processes are Listening on Which Ports

Code:

sockstat -l

Motivation:

System administrators often need to monitor which services are actively listening on network ports. This is essential for security audits, network performance tuning, and service management. Knowing which processes are listening can help quickly identify unauthorized or unnecessary services that might pose security risks.

Explanation:

  • -l: This option filters the output to display only listening sockets. Listening sockets are those that are ready to accept incoming connections. This is particularly useful when you are trying to ensure that only expected services are exposed to the network.

Example Output:

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd       863   3  tcp4   *:22                  *:*

Use Case 2: Show Information for IPv4/IPv6 Sockets Listening on Specific Ports Using a Specific Protocol

Code:

sockstat -4 -l -P tcp -p 80,443

Motivation:

This use case addresses a scenario where an administrator needs to check web server availability and configuration, particularly looking for which processes are using standard HTTP and HTTPS ports. This is crucial during initial deployment phases or when diagnosing connectivity issues.

Explanation:

  • -4: Restricts the output to IPv4 addresses. IPv4 is still widely used, and focusing on it can simplify diagnostics.
  • -6: If used, it restricts output to IPv6 addresses, but in this example, we’re focusing on IPv4.
  • -l: Lists only listening sockets, as before.
  • -P tcp: Filters by TCP protocol, which is used by web servers.
  • -p 80,443: Specifies the ports of interest, 80 for HTTP and 443 for HTTPS.

Example Output:

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      apache     1523  3  tcp4   *:80                  *:*
www      apache     1523  4  tcp4   *:443                 *:*

Use Case 3: Also Show Connected Sockets, Not Resolving Numeric UIDs to User Names and Using a Wider Field Size

Code:

sockstat -cnw

Motivation:

Sometimes, administrators need a comprehensive view of both listening and connected sockets, as well as uncluttered numeric data for efficient script parsing or when diagnosing user issues based on UID. This mode avoids resolving UIDs to names, which can speed up command execution on systems with a large number of users or complex configurations.

Explanation:

  • -c: Includes both listening and connected sockets in the output, providing a full picture of network activity.
  • -n: Prevents resolving numeric UIDs to usernames, speeding up the output generation.
  • -w: Increases the field width in the output, making it easier to read long addresses or identifiers.

Example Output:

UID      COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
1001     firefox    1782  39 tcp4   10.0.0.2:58462        93.184.216.34:80

Use Case 4: Only Show Sockets That Belong to a Specific Jail ID or Name in Verbose Mode

Code:

sockstat -jv

Motivation:

Jails are a powerful feature in FreeBSD, providing isolated environments for applications. Monitoring sockets within a specific jail is necessary for security, performance analysis, and ensuring the integrity of applications running within them.

Explanation:

  • -j: Targets sockets belonging to a specific jail. This is invaluable when managing multiple isolated environments on a single host.
  • -v: Enables verbose mode, providing additional details in the output that might be crucial for a deep analysis.

Example Output:

JAILID   USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
3        www      nginx      1367  6  tcp4   192.168.1.10:80       *:*

Use Case 5: Display the Protocol State and the Remote UDP Encapsulation Port Number, if Applicable

Code:

sockstat -sU

Motivation:

Viewing protocol state and remote encapsulation details is essential for developers and admins working with transport-layer protocols like SCTP and TCP, especially when tuning performance or diagnosing issues related to transport mechanisms.

Explanation:

  • -s: Adds state information about the protocol, providing insights into the session states for TCP connections.
  • -U: Shows the remote UDP encapsulation port number, if applicable. This is especially useful for troubleshooting encapsulated protocols.

Example Output:

USER     COMMAND    PID   FD PROTO  STATE    LOCAL ADDRESS    FOREIGN ADDRESS
root     sctp_app   1119  4  sctp   ESTABLISHED 192.168.1.5  *:*

Use Case 6: Display the Congestion Control Module and the Protocol Stack, if Applicable

Code:

sockstat -CS

Motivation:

Understanding which congestion control algorithms and protocol stacks are in use is important for network performance tuning and adapting to network conditions. This is highly relevant in environments with varying network load and bandwidth availability.

Explanation:

  • -C: Displays the congestion control module in use. This can be critical for performance optimization.
  • -S: Shows the protocol stack, enhancing the understanding of how data is being managed and transmitted.

Example Output:

USER     COMMAND    PID   FD PROTO  CC_MODULE   STACK
root     sshd       863   3  tcp4   newreno     protostack

Use Case 7: Only Show Internet Sockets if Both Local and Foreign Addresses Are Not in the Loopback Network

Code:

sockstat -L

Motivation:

Focusing only on external and non-loopback connections is essential for system security and monitoring incoming and outgoing Internet traffic, rather than internal communications which could clutter the output.

Explanation:

  • -L: Filters out sockets with local and foreign addresses within the loopback network, which is usually reserved for internal communications.

Example Output:

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
apache   apache     1523  5  tcp4   192.168.1.15:8080     203.0.113.5:54821

Use Case 8: Quiet Mode, Showing UNIX Sockets and Displaying the inp_gencnt

Code:

sockstat -qui

Motivation:

Operating in quiet mode without a header is useful for scripting and automated logging where minimal output is preferred. Unix sockets are pivotal for application-to-application communication on the same machine. Displaying inp_gencnt helps when monitoring connection generations or tracing socket activity over time.

Explanation:

  • -q: Quiet mode, which suppresses the header in the output for cleaner logging and scripting.
  • -u: Includes UNIX domain sockets in the output, which are crucial for IPC (Inter-Process Communication).
  • -i: Displays the inp_gencnt, a generation count useful for tracking socket lifecycle events.

Example Output:

123      bash       432   6  unix   0xffff7a27104f2000  0x0

Conclusion

The sockstat command is a versatile tool that enables system administrators and developers to monitor and manage network connections effectively. By tailoring its output through a variety of options discussed above, users can conduct detailed analyses, troubleshoot network issues, ensure security, and optimize system performance. Such command-line tools are indispensable in maintaining operational excellence in FreeBSD systems.

Related Posts

How to Use the Command 'btm' (with examples)

How to Use the Command 'btm' (with examples)

The ‘btm’ command, short for “bottom,” is an advanced system monitoring tool that serves as an alternative to the classic ’top’ command.

Read More
How to Use the Command Transmission-Edit (with Examples)

How to Use the Command Transmission-Edit (with Examples)

Transmission-edit is a utility tool designed to modify the announce URLs and passcodes within torrent files.

Read More
How to use the command 'uuidd' (with examples)

How to use the command 'uuidd' (with examples)

The uuidd is a daemon specifically designed to generate universally unique identifiers (UUIDs).

Read More