How to Use the ss Command on Linux

stock lede linux see attribution
A terminal window on a Linux laptop system.Fatmawati Achmad Zaenuri/Shutterstock

The ss command is a modern replacement for the classic netstat. You can use it on Linux to get statistics about your network connections. Here’s how to work with this handy tool.

The ss Command versus netstat

A replacement for the deprecated netstat command, ss gives you detailed information about how your computer communicates with other computers, networks, and services.

ss displays statistics for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Unix (interprocess), and raw sockets. Raw sockets operate at the network OSI level, which means TCP and UDP headers have to be handled by the application software, not by the transport layer. Internet Control Message Protocol (ICMP) messages and the ping utility both use raw sockets.

Using ss

You don’t have to install ss, as it’s already part of an up-to-date Linux distribution. Its output, however, can be very long—we’ve had results containing over 630 lines. The results are also very wide.

Because of this, we’ve included text representations of the results we obtained, as they wouldn’t fit in a screenshot. We’ve trimmed them to make them more manageable.

Listing Network Connections

Using ss with no command-line options lists sockets that are non-listening. That is, it lists the sockets that aren’t in the listening state.

To see this, type the following:

ss

ss in a terminal window

Output of ss in a terminal window.

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str ESTAB 0 0 * 41826 * 41827 u_str ESTAB 0 0 /run/systemd/journal/stdout 35689 * 35688 u_str ESTAB 0 0 * 35550 * 35551 … u_str ESTAB 0 0 * 38127 * 38128 u_str ESTAB 0 0 /run/dbus/system_bus_socket 21243 * 21242 u_str ESTAB 0 0 * 19039 * 19040 u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885 u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306 icmp6 UNCONN 0 0 *:ipv6-icmp *:* udp ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps

The columns are as follows:

  • Netid: The type of socket. In our example, we have “u_str,” a Unix stream, a “udp,” and “icmp6,” an IP version 6 ICMP socket. You can find more descriptions of Linux socket types in the Linux man pages.
  • State: The state the socket is in.
  • Recv-Q: The number of received packets.
  • Send-Q: The number of sent packets.
  • Local Address:Port: The local address and port (or equivalent values for Unix sockets).
  • Peer Address:Port: The remote address and port (or equivalent values for Unix sockets).

For UDP sockets the “State” column is usually blank. For TCP sockets it can be one of the following:

  • LISTEN: Server-side only. The socket is waiting for a connection request.
  • SYN-SENT: Client-side only. This socket has made a connection request and is waiting to see if it’s accepted.
  • SYN-RECEIVED: Server-side only. This socket is waiting for a connection acknowledgment after accepting a connection request.
  • ESTABLISHED: Server and clients. A working connection has been established between the server and the client, allowing data to be transferred between the two.
  • FIN-WAIT-1: Server and clients. This socket is awaiting a connection termination request from the remote socket, or an acknowledgment of a connection termination request that was previously sent from this socket.
  • FIN-WAIT-2: Server and clients. This socket is awaiting a connection termination request from the remote socket.
  • CLOSE-WAIT: Server and client. This socket is awaiting a connection termination request from the local user.
  • CLOSING: Server and clients. This socket is awaiting a connection termination request acknowledgment from the remote socket.
  • LAST-ACK: Server and client. This socket is awaiting an acknowledgment of the connection termination request it sent to the remote socket.
  • TIME-WAIT: Server and clients. This socket sent an acknowledgment to the remote socket to let it know it received the remote socket’s termination request. It’s now waiting to make sure that acknowledgment was received.
  • CLOSED: There is no connection, so the socket has been terminated.

Listing Listening Sockets

To see the listening sockets we’ll add the -l (listening) option, like so:

ss -l

ss -l in a terminal window.

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process nl UNCONN 0 0 rtnl:NetworkManager/535 * nl UNCONN 0 0 rtnl:evolution-addre/2987 * … u_str LISTEN 0 4096 /run/systemd/private 13349 * 0 u_seq LISTEN 0 4096 /run/udev/control 13376 * 0 u_str LISTEN 0 4096 /tmp/.X11-unix/X0 33071 * 0 u_dgr UNCONN 0 0 /run/systemd/journal/syslog 13360 * 0 u_str LISTEN 0 4096 /run/systemd/fsck.progress 13362 * 0 u_dgr UNCONN 0 0 /run/user/1000/systemd/notify 32303 * 0

These sockets are all unconnected and listening. The “rtnl” means routing netlink, which is used to transfer information between kernel and userspace processes.

Listing All Sockets

To list all sockets, you can use the -a (all) option:

ss -a

ss -a in a terminal window.

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process nl UNCONN 0 0 rtnl:NetworkManager/535 * nl UNCONN 0 0 rtnl:evolution-addre/2987 * … u_str LISTEN 0 100 public/showq 23222 * 0 u_str LISTEN 0 100 private/error 23225 * 0 u_str LISTEN 0 100 private/retry 23228 * 0 … udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* … tcp LISTEN 0 128 [::]:ssh [::]:* tcp LISTEN 0 5 [::1]:ipp [::]:* tcp LISTEN 0 100 [::1]:smtp [::]:*

The output contains all sockets, regardless of state.

Listing TCP Sockets

You can also apply a filter so only matching sockets are displayed. We’ll use the -t (TCP) option, so only TCP sockets will be listed:

ss -a -t

 ss -a -t in a terminal window.

Listing UDP Sockets

The -u (UDP) option performs the same type of filtering action. This time, we’ll see only UDP sockets:

ss -a -u

ss -a -u in a terminal window.

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process UNCONN 0 0 0.0.0.0:631 0.0.0.0:* UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* UNCONN 0 0 0.0.0.0:60734 0.0.0.0:* UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:* ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps UNCONN 0 0 [::]:mdns [::]:* UNCONN 0 0 [::]:51193 [::]:*

Listing Unix Sockets

To see only Unix sockets, you can include the  -x (Unix) option, as shown below:

ss -a -x

ss -a -x in a terminal window.

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str ESTAB 0 0 * 41826 * 41827 u_str ESTAB 0 0 * 23183 * 23184 u_str ESTAB 28 0 @/tmp/.X11-unix/X0 52640 * 52639 … u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885 u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306

Listing Raw Sockets

The filter for raw sockets is the -w (raw) option:

ss -a -w

ss -a -w in a terminal window.

Listing IP Version 4 Sockets

Sockets using the TCP/IP version 4 protocol can be listed using the -4 (IPV4) option:

ss -a -4

ss -a -4 in a terminal window.

Listing IP Version 6 Sockets

You can turn on the matching IP version 6 filter with the -6 (IPV6) option, like so:

ss -a -6

ss -a -6 in a terminal window.

Listing Sockets By State

You can list sockets by the state in which they’re in with the state option. This works with established, listening, or closed states. We’ll also use the resolve option (-r), which tries to resolve network addresses to names, and ports to protocols.

The following command will look for established TCP connections, and ss will try to resolve the names:

ss -t -r state established

ss -t -r state established in a terminal window.

Four connections are listed that are in the established state. The hostname, ubuntu20-04, has been resolved and “ssh” is shown instead of 22 for the SSH connection on the second line.

We can repeat this to look for sockets in the listening state:

ss -t -r state listening

ss -t -r state listening in a terminal window.

Recv-Q Send-Q Local Address:Port Peer Address:Port Process 0 128 localhost:5939 0.0.0.0:* 0 4096 localhost%lo:domain 0.0.0.0:* 0 128 0.0.0.0:ssh 0.0.0.0:* 0 5 localhost:ipp 0.0.0.0:* 0 100 localhost:smtp 0.0.0.0:* 0 128 [::]:ssh [::]:* 0 5 ip6-localhost:ipp [::]:* 0 100 ip6-localhost:smtp [::]:*

Listing Sockets By Protocol

You can list the sockets using a particular protocol with the dport and sport options, which represent the destination and source ports, respectively.

We type the following to list sockets using the HTTPS protocol on an established connection (note the space after the opening parenthesis and before the closing one):

ss -a state established ‘( dport = :https or sport = :https )’

ss -a state established ‘( dport = :https or sport = :https )’ in a terminal window.

We can use the protocol name or the port usually associated with that protocol. The default port for Secure Shell (SSH) is port 22.

We’ll use the protocol name in one command, and then repeat it using the port number:

ss -a ‘( dport = :ssh or sport = :ssh )’ss -a ‘( dport = :22 or sport = :22 )’

ss -a ‘( dport = :ssh or sport = :ssh )’in a terminal window.

As expected, we get the same results.

Listing Connections to a Specific IP Address

With the dst (destination) option, we can list connections to a particular destination IP address.

We type the following:

ss -a dst 192.168.4.25

ss -a dst 192.168.4.25 in a terminal window.

Identifying Processes

To see which processes are using the sockets, you can use the processes option (-p), as shown below (note you must use sudo):

sudo ss -t -p

sudo ss -t -p in a terminal window.

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ESTAB 0 0 192.168.4.28:57650 54.218.19.119:https users:((“firefox”,pid=3378,fd=151)) ESTAB 0 0 192.168.4.28:ssh 192.168.4.25:43946 users:((“sshd”,pid=4086,fd=4),(“sshd”,pid=3985,fd=4))

This shows us that the two established connections on TCP sockets are being used by the SSH daemon and Firefox.

A Worthy Successor

The ss command provides the same information previously supplied by netstat, but in a simpler, more accessible way. You can check out the man page for more options and tips.

READ NEXT

Source

Leave a Reply