How to Use the Command 'sockstat' (with examples)

How to Use the Command 'sockstat' (with examples)

The sockstat command is a utility used predominantly on Unix-like operating systems to provide a snapshot of open Internet or UNIX domain sockets, both IPv4 and IPv6. It is especially useful for system administrators and developers who need to track socket usage in real-time, offering an invaluable insight into network operations on a particular system. The command in question is a rewrite for NetBSD 3.0 from FreeBSD’s sockstat, designed to encapsulate a diverse range of network-related functionalities.

Use case 1: Show information for IPv4, IPv6 and Unix sockets for both listening and connected sockets

Code:

sockstat

Motivation: When managing a server, it’s crucial to know which sockets are open and which services are using them. This kind of inventory can help in troubleshooting network issues, ensuring that unwanted services are not running and that all necessary services are up and operating over their designated sockets.

Explanation: The command sockstat with no additional arguments lists all open sockets, including both Internet and UNIX domain sockets. It provides a straightforward overview of the system’s socket status.

Example output:

USER     COMMAND    PID      FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd       834      3  tcp4   192.168.1.2:22        192.168.1.100:52340
daemon   httpd      671      6  tcp6   ::1:80                *:*

Use case 2: Show information for IPv[4]/IPv[6] sockets [l]istening on specific [p]orts using a specific [P]rotocol

Code:

sockstat -4 -l -P tcp -p 80

Motivation: In environments where security is critical, knowing exactly which ports are open and which protocol they are using is imperative. A system administrator might use this command to verify that a web server is listening for connections on port 80 over TCP, for example.

Explanation:

  • -4: Restricts the display to IPv4 sockets.
  • -l: Filters the output to show only listening sockets.
  • -Ptcp: Specifies that we are interested in the TCP protocol.
  • -p 80: Further narrows down the output to sockets listening on port 80.

Example output:

USER     COMMAND    PID      FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
daemon   httpd      671      6  tcp4   *:80                  *:*

Use case 3: Also show [c]onnected sockets, showing [u]nix sockets

Code:

sockstat -cu

Motivation: Connected sockets indicate active connections between two endpoints. Viewing this information, particularly in conjunction with Unix sockets, is instrumental in identifying live communication channels which can be significant for performance monitoring or investigating suspected unauthorized connections.

Explanation:

  • -c: Instructs the command to display connected sockets, not just listening ones.
  • -u: Includes Unix domain sockets in addition to Internet sockets.

Example output:

USER     COMMAND    PID      FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
user     chatapp    4321     7  unix   /tmp/chatapp.sock     -

Use case 4: Only show [n]umeric output, without resolving symbolic names for addresses and ports

Code:

sockstat -n

Motivation: On systems with extensive DNS traffic or complex network structures, the use of symbolic names can add latency or ambiguity. Numeric output provides clear and immediate socket information, which is often preferable for scripting or exporting this data into other network tools.

Explanation:

  • -n: Configures sockstat to present numeric output for addresses and ports, avoiding resolution into hostnames or service names.

Example output:

USER     COMMAND    PID      FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd       834      3  tcp4   192.168.1.2:22        192.168.1.100:52340

Use case 5: Only list sockets of the specified address [f]amily

Code:

sockstat -f inet6

Motivation: With the growing need to support IPv6, managing systems that cater to both IPv4 and IPv6 requires tools to segregate these. Focusing on specific address families can simplify troubleshooting and management tasks on dual-stack networks.

Explanation:

  • -f inet6: Limits the output to only include IPv6 sockets, which is particularly useful when transitioning or verifying IPv6 network configurations.

Example output:

USER     COMMAND    PID      FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
daemon   webserver  9021     3  tcp6   ::1:8080              *:*

Conclusion:

The sockstat command offers a comprehensive suite of options to investigate socket usage in Unix-like operating systems, offering precision and depth necessary for administrative or development purposes. By utilizing its flexible syntax, users can filter the socket information to suit their current needs, whether it’s looking for specific port usage, checking connected sockets, or restricting output to numeric form. These examples reflect common real-world situations where sockstat might be applied, illustrating the practical utility of this command in maintaining and monitoring system health.

Related Posts

How to Use the 'toolbox create' Command (with Examples)

How to Use the 'toolbox create' Command (with Examples)

The toolbox create command is an essential part of the Toolbox tool, which is designed to provide an environment that is containerized and isolated, yet highly integrated with the host system.

Read More
Mastering the Command 'alpine' (with examples)

Mastering the Command 'alpine' (with examples)

Alpine is a powerful email client and Usenet newsgroup program designed with a user-friendly interface inspired by editors such as pico and nano.

Read More
How to use the command 'meld' (with examples)

How to use the command 'meld' (with examples)

Meld is a graphical diffing and merging tool, an invaluable asset for developers and anyone involved in tasks involving file comparisons.

Read More