1

When I type ss -atur I get lots of connections, but most are destined for localhost and I don't really care about those.

How can I filter the output to not show connections with destination localhost?

I tried ss -atur '(dst ne localhost)' but get Error: an inet prefix is expected rather than "(dst".. Without the parentheses I get ss: bison bellows (while parsing filter): "syntax error!" Sorry..

The best I can do is pipe to grep, but that has no way of distinguishing localhost in source vs destination (without a complex regex pattern).

Bagalaw
  • 835
  • 2
  • 9
  • 24

1 Answers1

2

A sufficient syntax is:

ss -atur '! dst localhost'

While i'd rather use (mind the spaces between parentheses and keywords):

ss -atur '! ( dst 127.0.0.1 or dst [::1] )'

Using localhost seems to have a strange behaviour: while it's working as expected in ss -atru '! dst localhost', when not in a negation, it appears to default to IPv4 unless using ss -6 to display IPv6 or ss -46 to display both: I would have expected the default is to display both.

Documentation is a bit lacking, as is mentioned in this Q/A. There are still some examples in the man, but this page (probably using the old removed documentation) is more useful:

https://www.cyberciti.biz/files/ss.html

(which can also be found there: http://linux-ip.net/gl/ss/ss-node5.html but the one flat page format above seems more useful)

A.B
  • 31,762
  • 2
  • 62
  • 101