How to Use the Command 'sockstat' (with Examples)
- Freebsd
- December 17, 2024
The sockstat
command is an incredibly useful utility for system administrators and developers, particularly those working within FreeBSD environments. It provides a summary of all open Internet or UNIX domain sockets, allowing users to see which ports are active, which users and processes are associated with them, and much more. This can be critical for troubleshooting network services, managing system resources, and ensuring system security. Below, we’ll explore several use cases for the sockstat
command, illustrating its versatility and power.
Use Case 1: View Which Users/Processes are Listening on Which Ports
Code:
sockstat -l
Motivation:
System administrators often need to monitor which services are actively listening on network ports. This is essential for security audits, network performance tuning, and service management. Knowing which processes are listening can help quickly identify unauthorized or unnecessary services that might pose security risks.
Explanation:
-l
: This option filters the output to display only listening sockets. Listening sockets are those that are ready to accept incoming connections. This is particularly useful when you are trying to ensure that only expected services are exposed to the network.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 863 3 tcp4 *:22 *:*
Use Case 2: Show Information for IPv4/IPv6 Sockets Listening on Specific Ports Using a Specific Protocol
Code:
sockstat -4 -l -P tcp -p 80,443
Motivation:
This use case addresses a scenario where an administrator needs to check web server availability and configuration, particularly looking for which processes are using standard HTTP and HTTPS ports. This is crucial during initial deployment phases or when diagnosing connectivity issues.
Explanation:
-4
: Restricts the output to IPv4 addresses. IPv4 is still widely used, and focusing on it can simplify diagnostics.-6
: If used, it restricts output to IPv6 addresses, but in this example, we’re focusing on IPv4.-l
: Lists only listening sockets, as before.-P tcp
: Filters by TCP protocol, which is used by web servers.-p 80,443
: Specifies the ports of interest, 80 for HTTP and 443 for HTTPS.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www apache 1523 3 tcp4 *:80 *:*
www apache 1523 4 tcp4 *:443 *:*
Use Case 3: Also Show Connected Sockets, Not Resolving Numeric UIDs to User Names and Using a Wider Field Size
Code:
sockstat -cnw
Motivation:
Sometimes, administrators need a comprehensive view of both listening and connected sockets, as well as uncluttered numeric data for efficient script parsing or when diagnosing user issues based on UID. This mode avoids resolving UIDs to names, which can speed up command execution on systems with a large number of users or complex configurations.
Explanation:
-c
: Includes both listening and connected sockets in the output, providing a full picture of network activity.-n
: Prevents resolving numeric UIDs to usernames, speeding up the output generation.-w
: Increases the field width in the output, making it easier to read long addresses or identifiers.
Example Output:
UID COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
1001 firefox 1782 39 tcp4 10.0.0.2:58462 93.184.216.34:80
Use Case 4: Only Show Sockets That Belong to a Specific Jail ID or Name in Verbose Mode
Code:
sockstat -jv
Motivation:
Jails are a powerful feature in FreeBSD, providing isolated environments for applications. Monitoring sockets within a specific jail is necessary for security, performance analysis, and ensuring the integrity of applications running within them.
Explanation:
-j
: Targets sockets belonging to a specific jail. This is invaluable when managing multiple isolated environments on a single host.-v
: Enables verbose mode, providing additional details in the output that might be crucial for a deep analysis.
Example Output:
JAILID USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
3 www nginx 1367 6 tcp4 192.168.1.10:80 *:*
Use Case 5: Display the Protocol State and the Remote UDP Encapsulation Port Number, if Applicable
Code:
sockstat -sU
Motivation:
Viewing protocol state and remote encapsulation details is essential for developers and admins working with transport-layer protocols like SCTP and TCP, especially when tuning performance or diagnosing issues related to transport mechanisms.
Explanation:
-s
: Adds state information about the protocol, providing insights into the session states for TCP connections.-U
: Shows the remote UDP encapsulation port number, if applicable. This is especially useful for troubleshooting encapsulated protocols.
Example Output:
USER COMMAND PID FD PROTO STATE LOCAL ADDRESS FOREIGN ADDRESS
root sctp_app 1119 4 sctp ESTABLISHED 192.168.1.5 *:*
Use Case 6: Display the Congestion Control Module and the Protocol Stack, if Applicable
Code:
sockstat -CS
Motivation:
Understanding which congestion control algorithms and protocol stacks are in use is important for network performance tuning and adapting to network conditions. This is highly relevant in environments with varying network load and bandwidth availability.
Explanation:
-C
: Displays the congestion control module in use. This can be critical for performance optimization.-S
: Shows the protocol stack, enhancing the understanding of how data is being managed and transmitted.
Example Output:
USER COMMAND PID FD PROTO CC_MODULE STACK
root sshd 863 3 tcp4 newreno protostack
Use Case 7: Only Show Internet Sockets if Both Local and Foreign Addresses Are Not in the Loopback Network
Code:
sockstat -L
Motivation:
Focusing only on external and non-loopback connections is essential for system security and monitoring incoming and outgoing Internet traffic, rather than internal communications which could clutter the output.
Explanation:
-L
: Filters out sockets with local and foreign addresses within the loopback network, which is usually reserved for internal communications.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
apache apache 1523 5 tcp4 192.168.1.15:8080 203.0.113.5:54821
Use Case 8: Quiet Mode, Showing UNIX Sockets and Displaying the inp_gencnt
Code:
sockstat -qui
Motivation:
Operating in quiet mode without a header is useful for scripting and automated logging where minimal output is preferred. Unix sockets are pivotal for application-to-application communication on the same machine. Displaying inp_gencnt
helps when monitoring connection generations or tracing socket activity over time.
Explanation:
-q
: Quiet mode, which suppresses the header in the output for cleaner logging and scripting.-u
: Includes UNIX domain sockets in the output, which are crucial for IPC (Inter-Process Communication).-i
: Displays theinp_gencnt
, a generation count useful for tracking socket lifecycle events.
Example Output:
123 bash 432 6 unix 0xffff7a27104f2000 0x0
Conclusion
The sockstat
command is a versatile tool that enables system administrators and developers to monitor and manage network connections effectively. By tailoring its output through a variety of options discussed above, users can conduct detailed analyses, troubleshoot network issues, ensure security, and optimize system performance. Such command-line tools are indispensable in maintaining operational excellence in FreeBSD systems.