Nasser Heidari


Disable Beep/Bell ( Hardware beep )

Filed under: freebsd,Linux — Nasser Heidari @ 06:55

Linux kernel has PC speaker beeper driver called pcspkr.ko. This driver is responsible for generating beeps while working at shell prompt / x terminal. To turn off the beep, simply remove driver from kernel. You also need to black list this driver so that it will not get loaded automatically.

# rmmod -v pcspkr

to prevent this module load automatically when you reboot your pc:
Open /etc/modprobe.d/blacklist file and add pcspkr:

blacklist pcspkr

appending a module here prevents the hotplug scripts from loading it .

you can use this command To turn it back on:

# modprobe pcspkr 

To enable or disable bell use MIB hw.syscons.bell under FreeBSD operating systems. Type the following command to disable for current session:

# sysctl hw.syscons.bell=0

Make sure settings remains same after you reboot you pc, enter:

# echo "hw.syscons.bell=0" >> /etc/sysctl.conf


If you are working with X11, you can turn off the console beep using the command xset.

To turn the console beep off enter:

# xset b off

To turn it back on, enter:

# xset b on

You can also set the volume and the pitch of the beep. This is not always supported, depending on the hardware.

However if you want to set volume and pitch you can do something like that:

# xset b 10 1000 100

Send E-mail When sudo Runs

Filed under: freebsd,Linux,Security Tips and Issues — Nasser Heidari @ 06:41

Sudo can be configured to to send e-mail when the sudo command is used.
Edit /etc/sudoers file:

mailto ""
mail_always on

* mailto “” : Admin email Address.
* mail_always : Send mail to the mailto user every time a users runs sudo.

Additional options:

Option Description
mail_badpass Send mail to the mailto user if the user running sudo does not enter the correct password. This flag is off by default.
mail_no_host If set, mail will be sent to the mailto user if the invoking user exists in the sudoers file, but is not allowed to run commands on the current host. This flag is off by default.
mail_no_perms If set, mail will be sent to the mailto user if the invoking user is allowed to use sudo but the command they are trying is not listed in their sudoers file entry or is explicitly denied. This flag is off by default.
mail_no_user If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.

iostat – Linux Disk utilization

Filed under: Linux — Nasser Heidari @ 06:18

iostat syntax for disk utilization report

iostat -d -x interval count

* -d : Display the device utilization report (d == disk)
* -x : Display extended statistics including disk utilization
* interval : It is time period in seconds between two samples . iostat 2 will give data at each 2 seconds interval.
* count : It is the number of times the data is needed . iostat 2 5 will give data at 2 seconds interval 5 times

# iostat -d -x 4 5

Display 4 reports of extended statistics at 5 second intervals for disk .

Linux 2.6.18-92.1.13.el5 (Zapata)      07/08/2009

Device:         rrqm/s   wrqm/s   r/s   w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util
cciss/c0d0        0.16    46.57  1.01 13.54    43.14    67.34     7.59     0.07    5.11   3.85   5.61

Device:         rrqm/s   wrqm/s   r/s   w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util
cciss/c0d0        0.00  1067.83  0.00 160.85     0.00  9829.43    61.11    41.20  256.17   2.15  34.61

Device:         rrqm/s   wrqm/s   r/s   w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util
cciss/c0d0        0.00     4.00  0.00  1.50     0.00    44.00    29.33     0.01    7.00   7.00   1.05

Device:         rrqm/s   wrqm/s   r/s   w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util
cciss/c0d0        0.00    13.25  0.00  3.75     0.00   136.00    36.27     0.03    8.20   7.33   2.75

Device:         rrqm/s   wrqm/s   r/s   w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util
cciss/c0d0        0.00     4.75  0.00  1.25     0.00    48.00    38.40     0.01    6.00   6.00   0.75

* rrqm/s : The number of read requests merged per second that were queued to the hard disk
* wrqm/s : The number of write requests merged per second that were queued to the hard disk
* r/s : The number of read requests per second
* w/s : The number of write requests per second
* rsec/s : The number of sectors read from the hard disk per second
* wsec/s : The number of sectors written to the hard disk per second
* avgrq-sz : The average size (in sectors) of the requests that were issued to the device.
* avgqu-sz : The average queue length of the requests that were issued to the device
* await : The average time (in milliseconds) for I/O requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them.
* svctm : The average service time (in milliseconds) for I/O requests that were issued to the device
* %util : Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.

SS (Socket Stat) Utility: Quick Intro by Alexey Kuznetosv !

Filed under: Linux — Nasser Heidari @ 05:36

1. Why?

/proc interface is inadequate, unfortunately. When amount of sockets is enough large, netstat or even plain cat /proc/net/tcp/ cause nothing but pains and curses. In linux-2.4 the desease became worse: even if amount of sockets is small reading /proc/net/tcp/ is slow enough.

This utility presents a new approach, which is supposed to scale well. I am not going to describe technical details here and will concentrate on description of the command. The only important thing to say is that it is not so bad idea to load module tcp_diag, which can be found in directory Modules of iproute2. If you do not make this ss will work, but it falls back to /proc and becomes slow like netstat, well, a bit faster yet (see section “Some numbers”).

2. Old news

In the simplest form ss is equivalent to netstat with some small deviations.

  • ss -t -a dumps all TCP sockets
  • ss -u -a dumps all UDP sockets
  • ss -w -a dumps all RAW sockets
  • ss -x -a dumps all UNIX sockets

Option -o shows TCP timers state. Option -e shows some extended information. Etc. etc. etc. Seems, all the options of netstat related to sockets are supported. Though not AX.25 and other bizarres. :-) If someone wants, he can make support for decnet and ipx. Some rudimentary support for them is already present in iproute2 libutils, and I will be glad to see these new members.

However, standard functionality is a bit different:

The first: without option -a sockets in states TIME-WAIT and SYN-RECV are skipped too. It is more reasonable default, I think.

The second: format of UNIX sockets is different. It coincides with tcp/udp. Though standard kernel still does not allow to see write/read queues and peer address of connected UNIX sockets, the patch doing this exists.

The third: default is to dump only TCP sockets, rather than all of the types.

The next: by default it does not resolve numeric host addresses (like ip)! Resolving is enabled with option -r. Service names, usually stored in local files, are resolved by default. Also, if service database does not contain references to a port, ss queries system rpcbind. RPC services are prefixed with rpc. Resolution of services may be suppressed with option -n.

It does not accept “long” options (I dislike them, sorry). So, address family is given with family identifier following option -f to be algined to iproute2 conventions. Mostly, it is to allow option parser to parse addresses correctly, but as side effect it really limits dumping to sockets supporting only given family. Option -A followed by list of socket tables to dump is also supported. Logically, id of socket table is different of _address_ family, which is another point of incompatibility. So, id is one of all, tcp, udp, raw, inet, unix, packet, netlink. See? Well, inet is just abbreviation for tcp|udp|raw and it is not difficult to guess that packet allows to look at packet sockets. Actually, there are also some other abbreviations, f.e. unix_dgram selects only datagram UNIX sockets.

The next: well, I still do not know. :-)

3. Time to talk about new functionality.

It is builtin filtering of socket lists.

3.1 Filtering by state.

ss allows to filter socket states, using keywords state and exclude, followed by some state identifier.

State identifier are standard TCP state names (not listed, they are useless for you if you already do not know them) or abbreviations:

  • all – for all the states
  • bucket – for TCP minisockets (TIME-WAIT|SYN-RECV)
  • big – all except for minisockets
  • connected – not closed and not listening
  • synchronized – connected and not SYN-SENT

F.e. to dump all tcp sockets except SYN-RECV:

   ss exclude SYN-RECV

If neither state nor exclude directives are present, state filter defaults to all with option -a or to all, excluding listening, syn-recv, time-wait and closed sockets.

3.2 Filtering by addresses and ports.

Option list may contain address/port filter. It is boolean expression which consists of boolean operation or, and, not and predicates. Actually, all the flavors of names for boolean operations are eaten: &, &&, |, ||, !, but do not forget about special sense given to these symbols by unix shells and escape them correctly, when used from command line.

Predicates may be of the folowing kinds:

  • A. Address/port match, where address is checked against mask and port is either wildcard or exact. It is one of:

            dst prefix:port
            src prefix:port
            src unix:STRING
            src link:protocol:ifindex
            src nl:channel:pid

    Both prefix and port may be absent or replaced with *, which means wildcard. UNIX socket use more powerful scheme matching to socket names by shell wildcards. Also, prefixes unix: and link: may be omitted, if address family is evident from context (with option -x or with -f unix or with unix keyword)F.e.


    are equivalent and mean socket connected to any port on host


    sockets connected to port 22 on network…255.Note that port separated of address with colon, which creates troubles with IPv6 addresses. Generally, we interpret the last colon as splitting port. To allow to give IPv6 addresses, trick like used in IPv6 HTTP URLs may be used:

          dst [::1]

    are sockets connected to ::1 on any portAnother way is dst ::1128/. / helps to understand that colon is part of IPv6 address.

    Now we can add another alias for dst dst []. :-)

    Address may be a DNS name. In this case all the addresses are looked up (in all the address families, if it is not limited by option -f or special address prefix inet:, inet6) and resulting expression is or over all of them.

  • B. Port expressions:

          dport >= :1024
          dport != :22
          sport < :32000

    etc. All the relations: <, >, =, >=, =, ==, !=, eq, ge, lt, ne… Use variant which you like more, but not forget to escape special characters when typing them in command line. :-) Note that port number syntactically coincides to the case A! You may even add an IP address, but it will not participate incomparison, except for == and !=, which are equivalent to corresponding predicates of type A. F.e.dst is equivalent to dport eq and not dst is equivalent to dport neq

  • C. Keyword autobound. It matches to sockets bound automatically on local system.

4. Examples

  • 1. List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers:

       ss -o state fin-wait-1 \( sport = :http or sport = :https \) \
                              dst 193.233.7/24

    Oops, forgot to say that missing logical operation is equivalent to and.

  • 2. Well, now look at the rest…

       ss -o excl fin-wait-1
       ss state fin-wait-1 \( sport neq :http and sport neq :https \) \
                           or not dst 193.233.7/24

    Note that we have to do _two_ calls of ss to do this. State match is always anded to address/port match. The reason for this is purely technical: ss does fast skip of not matching states before parsing addresses and I consider the ability to skip fastly gobs of time-wait and syn-recv sockets as more important than logical generality.

  • 3. So, let’s look at all our sockets using autobound ports:

       ss -a -A all autobound
  • 4. And eventually find all the local processes connected to local X servers:

       ss -xp dst "/tmp/.X11-unix/*"

    Pardon, this does not work with current kernel, patching is required. But we still can look at server side:

       ss -x src "/tmp/.X11-unix/*"

5. Returning to ground: real manual

5.1 Command arguments

General format of arguments to ss is:



OPTIONS is list of single letter options, using common unix conventions.

  • -h – show help page
  • -? – the same, of course
  • -v, -V – print version of ss and exit
  • -s – print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful.
  • -D FILE – do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used.
  • -F FILE – read continuation of filter from FILE. Each line of FILE is interpreted like single command line option. If FILE is - stdin is used.
  • -r – try to resolve numeric address/ports
  • -n – do not try to resolve ports
  • -o – show some optional information, f.e. TCP timers
  • -i – show some infomration specific to TCP (RTO, congestion window, slow start threshould etc.)
  • -e – show even more optional information
  • -m – show extended information on memory used by the socket. It is available only with tcp_diag enabled.
  • -p – show list of processes owning the socket
  • -f FAMILY – default address family used for parsing addresses. Also this option limits listing to sockets supporting given address family. Currently the following families are supported: unix, inet, inet6, link, netlink.
  • -4 – alias for -f inet
  • -6 – alias for -f inet6
  • -0 – alias for -f link
  • -A LIST-OF-TABLES – list of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, packet_raw, packet_dgram.
  • -x – alias for -A unix
  • -t – alias for -A tcp
  • -u – alias for -A udp
  • -w – alias for -A raw
  • -a – show sockets of all the states. By default sockets in states LISTEN, TIME-WAIT, SYN_RECV and CLOSE are skipped.
  • -l – show only sockets in state LISTEN


STATE-FILTER allows to construct arbitrary set of states to match. Its syntax is sequence of keywords state and exclude followed by identifier of state. Available identifiers are:

  • All standard TCP states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen and closing.
  • all – for all the states
  • connected – all the states except for listen and closed
  • synchronized – all the connected states except for syn-sent
  • bucket – states, which are maintained as minisockets, i.e. time-wait and syn-recv.
  • big – opposite to bucket


ADDRESS_FILTER is boolean expression with operations and, or and not, which can be abbreviated in C style f.e. as &, &&.

Predicates check socket addresses, both local and remote. There are the following kinds of predicates:

  • dst ADDRESS_PATTERN – matches remote address and port
  • src ADDRESS_PATTERN – matches local address and port
  • dport RELOP PORT – compares remote port to a number
  • sport RELOP PORT – compares local port to a number
  • autobound – checks that socket is bound to an ephemeral port

RELOP is some of <=, >=, == etc. To make this more convinient for use in unix shell, alphabetic FORTRAN-like notations le, gt etc. are accepted as well.

The format and semantics of ADDRESS_PATTERN depends on address family.

  • inetADDRESS_PATTERN consists of IP prefix, optionally followed by colon and port. If prefix or port part is absent or replaced with *, this means wildcard match.
  • inet6 – The same as inet, only prefix refers to an IPv6 address. Unlike inet colon becomes ambiguous, so that ss allows to use scheme, like used in URLs, where address is suppounded with [].
  • unixADDRESS_PATTERN is shell-style wildcard.
  • packet – format looks like inet, only interface index stays instead of port and link layer protocol id instead of address.
  • netlink – format looks like inet, only socket pid stays instead of port and netlink channel instead of address.

PORT is syntactically ADDRESS_PATTERN with wildcard address part. Certainly, it is undefined for UNIX sockets.

5.2 Environment variables

ss allows to change source of information using various environment variables:

  • PROC_SLABINFO to override /proc/slabinfo
  • PROC_NET_TCP to override /proc/net/tcp
  • PROC_NET_UDP to override /proc/net/udp
  • etc.

Variable PROC_ROOT allows to change root of all the /proc/ hierarchy.

Variable TCPDIAG_FILE prescribes to open a file instead of requesting kernel to dump information about TCP sockets.

This option is used mainly to investigate bug reports, when dumps of files usually found in /proc/ are recevied by e-mail.

5.3 Output format

Six columns. The first is Netid, it denotes socket type and transport protocol, when it is ambiguous: tcp, udp, raw, u_str is abbreviation for unix_stream, u_dgr for UNIX datagram sockets, nl for netlink, p_raw and p_dgr for raw and datagram packet sockets. This column is optional, it will be hidden, if filter selects an unique netid.

The second column is State. Socket state is displayed here. The names are standard TCP names, except for UNCONN, which cannot happen for TCP, but normal for not connected sockets of another types. Again, this column can be hidden.

Then two columns (Recv-Q and Send-Q) showing amount of data queued for receive and transmit.

And the last two columns display local address and port of the socket and its peer address, if the socket is connected.

If options -o, -e or -p were given, options are displayed not in fixed positions but separated by spaces pairs: option:value. If value is not a single number, it is presented as list of values, enclosed to () and separated with commas. F.e.


is typical format for TCP timer (option -o).


is typical for list of users (option -p).

6. Some numbers

Well, let us use pidentd and a tool ibench to measure its performance. It is 30 requests per second here. Nothing to test, it is too slow. OK, let us patch pidentd with patch from directory Patches. After this it handles about 4300 requests per second and becomes handy tool to pollute socket tables with lots of timewait buckets.

So, each test starts from pollution tables with 30000 sockets and then doing full dump of the table piped to wc and measuring timings with time:


  • netstat -at – 15.6 seconds
  • ss -atr, but without tcp_diag – 5.4 seconds
  • ss -atr with tcp_diag – 0.47 seconds

No comments. Though one comment is necessary, most of time without tcp_diag is wasted inside kernel with completely blocked networking. More than 10 seconds, yes. tcp_diag does the same work for 100 milliseconds of system time.

vmstat – Find out Linux Resource utilization

Filed under: Linux — Nasser Heidari @ 05:16

vmstat command reports information about processes, memory, paging, block IO, traps, and cpu activity. However, a real advantage of vmstat command output – is to the point and (concise) easy to read/understand. The output of vmstat command use to help identify system bottlenecks. Please note that Linux vmstat does not count itself as a running process.

# vmstat -S m 4 5
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 1  0    330     95    231    848    0    0    11    17    0    0  6  0 91  2  0
 2  1    330     93    231    849    0    0     0  5493 1288  378 66  3 15 16  0
 0  0    330     95    231    849    0    0     0   110 1035  105 15  1 83  2  0
 0  0    330     97    231    849    0    0     0   919 1085  211  0  0 94  6  0
 0  0    330     96    231    849    0    0     0    29 1036   99  0  0 99  1  0


* The fist line is nothing but six different categories. The second line gives more information about each category. This second line gives all data you need.
* -S M: vmstat lets you choose units (k, K, m, M) default is K (1024 bytes) in the default mode. I am using M since this system has over 4 GB memory. Without -M option it will use K as unit.
* 4 5 :4 is the delay between updates in seconds, and 5 is the number of updates.

Field Description For Vm Mode

– procs is the process-related fields are:

* r: The number of processes waiting for run time.
* b: The number of processes in uninterruptible sleep.

– memory is the memory-related fields are:

* swpd: the amount of virtual memory used.
* free: the amount of idle memory.
* buff: the amount of memory used as buffers.
* cache: the amount of memory used as cache.

– swap is swap-related fields are:

* si: Amount of memory swapped in from disk (/s).
* so: Amount of memory swapped to disk (/s).

– io is the I/O-related fields are:

* bi: Blocks received from a block device (blocks/s).
* bo: Blocks sent to a block device (blocks/s).

– system is the system-related fields are:

* in: The number of interrupts per second, including the clock.
* cs: The number of context switches per second.

– cpu is the CPU-related fields are:

These are percentages of total CPU time.

* us: Time spent running non-kernel code. (user time, including nice time)
* sy: Time spent running kernel code. (system time)
* id: Time spent idle. Prior to Linux 2.5.41, this includes IO-wait time.
* wa: Time spent waiting for IO. Prior to Linux 2.5.41, shown as zero.
* st: Time stolen from a virtual machine. Prior to Linux 2.6.11, unknown.