ss& netstat 统计结果不一样

1，ss的结果，closed状态的有3w多

# ss -s
Total: 30756 (kernel 31201)
TCP:   34076 (estab 9, closed 34011, orphaned 0, synrecv 0, timewait 4184/0), ports 0
Transport Total     IP        IPv6
*     31201     -         -
RAW   2         2         0
UDP   13        9         4
TCP   65        12        53
INET      80        23        57
FRAG      0         0         0

2，netstat统计只有一百来个连接

# netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
ESTABLISHED 9
TIME_WAIT 79

3，通过starce看看二者的统计方式得不同

ss直接取自/proc/net/sockstat

# strace -F -ff -t -tt -s 4096 -o s.out ss -s
...
1563360794.995285 open("/proc/net/sockstat", O_RDONLY) = 3
1563360794.995358 fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
1563360794.995417 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f94e5a25000
1563360794.995470 read(3, "sockets: used 30741\nTCP: inuse 11 orphan 0 tw 4671 alloc 29878 mem 847\nUDP: inuse 9 mem 2\nUDPLITE: inuse 0\nRAW: inuse 2\nFRAG: inuse 0 me
mory 0\n", 1024) = 143
...

netstat是读取的/proc/pid/fd 下面关联tcp的socket

strace -F -ff -t -tt -s 4096 -o n.out netstat -antpl
...
1563360883.910941 open("/proc/1500/attr/current", O_RDONLY|O_CLOEXEC) = 5
1563360883.910993 read(5, 0x56114ec94ba0, 4095) = -1 EINVAL (Invalid argument)
1563360883.911051 close(5)              = 0
1563360883.911106 readlink("/proc/1500/fd/6", "socket:[38288]", 29) = 14
1563360883.911159 open("/proc/1500/attr/current", O_RDONLY|O_CLOEXEC) = 5
1563360883.911209 read(5, 0x56114ec94c00, 4095) = -1 EINVAL (Invalid argument)
1563360883.911257 close(5)              = 0
1563360883.911304 readlink("/proc/1500/fd/7", "socket:[38289]", 29) = 14
1563360883.911357 open("/proc/1500/attr/current", O_RDONLY|O_CLOEXEC) = 5
1563360883.911407 read(5, 0x56114ec94c60, 4095) = -1 EINVAL (Invalid argument)
1563360883.911454 close(5)              = 0
1563360883.911502 readlink("/proc/1500/fd/8", "socket:[38290]", 29) = 14
1563360883.911554 open("/proc/1500/attr/current", O_RDONLY|O_CLOEXEC) = 5
1563360883.911604 read(5, 0x56114ec94cc0, 4095) = -1 EINVAL (Invalid argument)
1563360883.911651 close(5)              = 0
1563360883.911699 readlink("/proc/1500/fd/9", "socket:[38291]", 29) = 14
1563360883.911751 open("/proc/1500/attr/current", O_RDONLY|O_CLOEXEC) = 5
1563360883.911801 read(5, 0x56114ec94d20, 4095) = -1 EINVAL (Invalid argument)
1563360883.911848 close(5)              = 0
1563360883.911919 readlink("/proc/1500/fd/10", "socket:[38292]", 29) = 14
1563360883.911972 open("/proc/1500/attr/current", O_RDONLY|O_CLOEXEC) = 5
1563360883.912023 read(5, 0x56114ec94d80, 4095) = -1 EINVAL (Invalid argumen
...
# grep -c socket 1.out.764
30133

4，netstat也有扫到三万多个socket，为什么输出的时候没有展示呢？

By  default, netstat displays a list of open sockets.  If you don't specify any address families, then the active sockets of all configured address families
     will be printed.

5，找出来哪个pid的socket比较多，对/proc/pid/fd目录做批量扫描

for d in /proc/[0-9]*;do pid=$(basename $d);s=$(ls -l $d/fd | egrep -i socket | wc -l 2>/dev/null); [ -n "$s" ] && echo "$s $pid";done | sort -n | tail -20

6,进入到/proc/7136/目录 查看cmdline或者直接ps -ef |grep pid拿到进程，后面就需要客户自查了