Exploring the 'sockstat' Command (with examples)
- Linux
- December 17, 2024
The sockstat command is a useful utility for examining open sockets, both Internet and UNIX domain, on a system. This command provides insights into the socket connections that various processes have opened, which is useful for troubleshooting, monitoring, and managing system resources. It has multiple options and variations that let users filter and view socket information based on different criteria such as protocol type, port, specific processes, users, or groups. The following examples illustrate how to use sockstat in different scenarios.
Use case 1: Show information for IPv4 and IPv6 sockets for both listening and connected sockets
Code:
sockstat
Motivation:
Using the sockstat command without any additional options provides a comprehensive overview of all open sockets on the system, including both IPv4 and IPv6 types. This command is an essential tool for network diagnostics, allowing system administrators to ensure that all active and listening connections are legitimate and to detect any suspicious activity.
Explanation:
sockstat: Invoked without options,sockstatdisplays all sockets, whether they are in a listening state or a connected state, covering both IPv4 and IPv6 addresses.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 1234 3 tcp4 192.168.1.100:22 192.168.1.2:54234
user1 firefox 5678 5 tcp6 2607:f8b0::8:80 2800:3f0:4001:c03::8f
Use case 2: Show information for IPv[4]/IPv[6] sockets [l]istening on specific [p]orts using a specific p[R]otocol
Code:
sockstat -4 -l -R tcp -p 22,80
Motivation:
This example is particularly useful for security audits or when configuring firewalls. By filtering based on protocol and specific ports, users can quickly verify which applications are bound to critical ports, such as SSH (port 22) and HTTP (port 80), and ensure they are appropriately configured.
Explanation:
-4: Limits the output to IPv4 sockets.-l: Shows only listening sockets.-R tcp: Specifies the TCP protocol.-p 22,80: Filters to show only sockets listening on ports 22 and 80.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 1234 3 tcp4 0.0.0.0:22 *:*
www httpd 4321 6 tcp4 0.0.0.0:80 *:*
Use case 3: Also show [c]onnected sockets and [u]nix sockets
Code:
sockstat -cu
Motivation:
This command is beneficial for understanding both the active network communications and the internal UNIX domain sockets in use by applications on a system. Such comprehensiveness aids in optimizing performance and debugging application-specific issues.
Explanation:
-c: Includes connected sockets in the listing.-u: Includes UNIX domain sockets for a complete view of both network and local communication channels.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root mysql 2345 4 unix /var/run/mysql/mysql.sock
user1 chrome 6789 10 tcp4 192.168.1.100:54321 93.184.216.34:443
Use case 4: Only show sockets of the specified pid or process
Code:
sockstat -P sshd
Motivation:
When managing specific processes, such as SSH for secure remote connections, it is often necessary to inspect the sockets that are exclusive to that service. This provides insight into what connectivity is being handled and helps troubleshoot issues related to that specific process.
Explanation:
-P sshd: Filters the listing to show sockets that belong to thesshdprocess.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 1234 3 tcp4 0.0.0.0:22 192.168.1.2:54234
Use case 5: Only show sockets of the specified uid or user
Code:
sockstat -U user1
Motivation:
This is handy when monitoring the network activity of specific users, especially in shared environments. It helps to ensure compliance with usage policies and identify any unauthorized or unusual network access patterns.
Explanation:
-U user1: Lists sockets opened by the useruser1.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
user1 chrome 6789 10 tcp4 192.168.1.100:54321 93.184.216.34:443
Use case 6: Only show sockets of the specified gid or group
Code:
sockstat -G www
Motivation:
Organizations often manage services at the group level, such as all web services under the www group. This command helps check all network connections associated with a service group, ensuring that resource sharing adheres to organizational policies and standards.
Explanation:
-G www: Filters the output to show sockets related to thewwwgroup.
Example Output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 4321 6 tcp4 0.0.0.0:80 *:*
Conclusion:
The sockstat command is a powerful tool for managing and diagnosing socket connections on a system. By allowing users to filter and display socket information in various ways, from protocols and ports to specific processes, users, or groups, it provides flexibility and precision in network management and system administration. This allows not only efficient monitoring and troubleshooting but also strengthens security protocols by keeping track of what is happening on the network.
