How to Use the ss Command on Linux

A terminal window on a Linux laptop system.Fatmawati Achmad Zaenuri / Shutterstock

The ss command is a modern replacement for the classic netstat. You can use it on Linux to get statistics on your network connections. Here’s how to work with this handy tool.

The ss command against netstat

A replacement for the obsolete netstat command, Ss gives you detailed information about how your computer communicates with other computers, networks, and services.

ss displays statistics for Transmission control protocol (TCP), User datagram protocol (UDP), Unix (interprocess), and the raw catches. Raw sockets operate at OSI level of the networkwhich means that the TCP and UDP headers must be handled by the application software, not the transport layer. Internet Control Message Protocol (ICMP) and ping The utility both uses raw sockets.

Using ss

You do not need to install ss, as it is already part of an up-to-date Linux distribution. Its output, however, can be very long – we had results containing over 630 rows. The results are also very broad.

For this reason, we have included textual representations of the results we obtained, as they do not fit in a screenshot. We have adjusted them to make them easier to manage.

List of network connections

Using ss without command line options lists sockets that are not listening. In other words, it lists the sockets that are not listening.

To see this, type the following:

ss

ss in a terminal window

Netid State Recv-Q Send-Q Local Address: Port Peer Address: Port Process
u_str ESTAB 0 0 * 41826 * 41827
u_str ESTAB 0 0 / run / systemd / journal / stdout 35689 * 35688
u_str ESTAB 0 0 * 35550 * 35551

u_str ESTAB 0 0 * 38127 * 38128
u_str ESTAB 0 0 / run / dbus / system_bus_socket 21243 * 21242
u_str ESTAB 0 0 * 19039 * 19040
u_str ESTAB 0 0 / run / systemd / journal / stdout 18887 * 18885
u_str ESTAB 0 0 / run / dbus / system_bus_socket 19273 * 17306
icmp6 UNCONN 0 0 *: ipv6-icmp *: *
udp ESTAB 0 0 192.168.4.28% enp0s3: bootpc 192.168.4.1:bootps

The columns are as follows:

Netid: The type of socket. In our example we have “u_str”, a Unix stream, a “udp” and “icmp6”, an ICMP IP version 6 socket. You can find more descriptions of Linux socket types under linux man pages.
State: The state in which the socket is located.
Recv-Q: The number of packets received.
Send-Q: The number of packets sent.
Local address: Port: The local address and the port (or equivalent values ​​for Unix sockets).
Peer address: Port: The remote address and port (or equivalent values ​​for Unix sockets).

For UDP sockets, the “State” column is usually empty. For TCP sockets, it can be one of the following:

LISTEN: Server side only. The socket is waiting for a connection request.
SYN-SENT: Client side only. This socket has made a connection request and is waiting to see if it is accepted.
SYN-RECEIVED: Server side only. This socket waits for a connection acknowledgment after accepting a connection request.
ESTABLISHED: Server and clients. A functional connection has been established between the server and the client, allowing data transfer between the two.
FIN-WAIT-1: Server and clients. This socket waits for a connection termination request from the remote socket, or an acknowledgment of a connection termination request that was previously sent from this socket.
FIN-WAIT-2: Server and clients. This socket waits for a connection end request from the remote socket.
CLOSE-WAIT: Server and client. This socket is waiting for a connection termination request from the local user.
CLOSING: Server and clients. This socket expects a connection termination request acknowledgment from the remote socket.
LAST ACK: Server and client. This socket waits for an acknowledgment of the connection termination request that it sent to the remote socket.
WAITING TIME: Server and clients. This socket sent an acknowledgment to the remote socket to let it know that it received the terminate request from the remote socket. He is now waiting to ensure that this acknowledgment has been received.
CLOSED: There is no connection, so the socket has been terminated.

List of listening jacks

To see the listening sockets, we’ll add the -l (listen) option, like this:

ss -l

Netid State Recv-Q Send-Q Local Address: Port Peer Address: Port Process
nl UNCONN 0 0 rtnl: NetworkManager / 535 *
nl UNCONN 0 0 rtnl: evolution-addre / 2987 *

u_str LISTEN 0 4096 / run / systemd / private 13349 * 0
u_seq LISTEN 0 4096 / run / udev / control 13376 * 0
u_str LISTEN 0 4096 /tmp/.X11-unix/X0 33071 * 0
u_dgr UNCONN 0 0 / run / systemd / journal / syslog 13360 * 0
u_str LISTEN 0 4096 /run/systemd/fsck.progress 13362 * 0
u_dgr UNCONN 0 0 / run / user / 1000 / systemd / notify 32303 * 0

These jacks are all unconnected and listening. The “rtnl” stands for netlink routing, which is used to transfer information between kernel and user space processes.

List of all outlets

To list all sockets, you can use the -a (all) option:

ss -a

Netid State Recv-Q Send-Q Local Address: Port Peer Address: Port Process
nl UNCONN 0 0 rtnl: NetworkManager / 535 *
nl UNCONN 0 0 rtnl: evolution-addre / 2987 *

u_str LISTEN 0100 public / showq 23222 * 0
u_str LISTEN 0100 private / error 23225 * 0
u_str LISTEN 0100 private / retry 23228 * 0

udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:*

tcp LISTEN 0 128 [::]: ssh [::]: *
tcp LISTEN 0 5 [::1]: ipp [::]: *
tcp LISTEN 0 100 [::1]: smtp [::]: *

The output contains all sockets, regardless of their state.

List of TCP sockets

You can also apply a filter so that only matching sockets are displayed. We will use the -t (TCP) option, so only TCP sockets will be listed:

ss -a -t

List of UDP sockets

The -u (UDP) option performs the same type of filtering action. This time we will only see UDP sockets:

ss -a -u

State Recv-Q Send-Q Local Address: Port Peer Address: Port Process
UNCONN 0 0 0.0.0.0:631 0.0.0.0:*
UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:*
UNCONN 0 0 0.0.0.0:60734 0.0.0.0:*
UNCONN 0 0 127.0.0.53% lo: domain 0.0.0.0:*
ESTAB 0 0 192.168.4.28% enp0s3: bootpc 192.168.4.1:bootps
UNCONN 0 0 [::]: mdns [::]: *
UNCONN 0 0 [::]: 51193 [::]: *

List of Unix sockets

To view only Unix sockets, you can include the -x (Unix) option, as shown below:

ss -a -x

Netid State Recv-Q Send-Q Local Address: Port Peer Address: Port Process
u_str ESTAB 0 0 * 41826 * 41827
u_str ESTAB 0 0 * 23183 * 23184
u_str ESTAB 28 0 @ / tmp / .X11-unix / X0 52640 * 52639

u_str ESTAB 0 0 / run / systemd / journal / stdout 18887 * 18885
u_str ESTAB 0 0 / run / dbus / system_bus_socket 19273 * 17306

List of raw catches

The filter for raw sockets is the -w (raw) option:

ss -a -w

List of IP version 4 sockets

Sockets using the TCP / IP version 4 protocol can be listed using the -4 (IPV4) option:

ss -a -4

List of IP version 6 sockets

You can activate the corresponding IP version 6 filter with the -6 (IPV6) option, like this:

ss -a -6

List of sockets by state

You can list sockets according to the state they are in with the state option. It works with established, listening or closed states. We’ll also use the resolve option (-r), which attempts to resolve network addresses to names and ports to protocols.

The following command will search for established TCP connections and ss will attempt to resolve the names:

ss -t -r state established

Four connections are listed in the established state. The hostname, ubuntu20-04, has been resolved and “ssh” is displayed instead of 22 for the SSH connection on the second line.

We can repeat this to find listening sockets:

ss -t -r state listen

Recv-Q Local Send-Q address: Port peer address: Port process
0 128 localhost: 5939 0.0.0.0:*
0 4096 localhost% lo: domain 0.0.0.0:*
0 128 0.0.0.0:ssh 0.0.0.0:*
0 5 localhost: ipp 0.0.0.0:*
0100 localhost: smtp 0.0.0.0:*
0 128 [::]: ssh [::]: *
0 5 ip6-localhost: ipp [::]: *
0100 ip6-localhost: smtp [::]: *

List of sockets by protocol

You can list the sockets using a particular protocol with the dport and sport options, which represent the destination and source ports respectively.

We type the following to list the sockets using HTTPS over an established connection (note the space after the opening parenthesis and before the closing parenthesis):

ss -a state established “(dport =: https or sport =: https)”

We can use the name of the protocol or the port typically associated with that protocol. The default port for Protective casing (SSH) is port 22.

We’ll use the protocol name in a single command, then repeat it using the port number:

ss -a “(dport =: ssh or sport =: ssh)”
ss -a “(dport =: 22 or sport =: 22)”

As expected, we get the same results.

List of connections to a specific IP address

With the dst (destination) option, we can list the connections to a particular destination IP address.

We type the following:

ss -a dst 192.168.4.25

Identification of processes

To see which processes are using sockets, you can use the processes option (-p), as shown below (note that you need to use sudo):

sudo ss -t -p

State Recv-Q Send-Q Local Address: Port Peer Address: Port Process
ESTAB 0 0 192.168.4.28:57650 54.218.19.119: https users: ((“firefox”, pid = 3378, fd = 151))
ESTAB 0 0 192.168.4.28:ssh 192.168.4.25:43946 users: ((“sshd”, pid = 4086, fd = 4), (“sshd”, pid = 3985, fd = 4))

This shows us that the two connections established on the TCP sockets are used by the SSH daemon and Firefox.

A worthy successor

The ss command provides the same information previously provided by netstat, but in a simpler and more accessible way. You can consult the man page for more options and advice.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.