Introduction
The ss command is a powerful utility for analyzing network sockets in Linux systems. Short for “socket statistics,” ss provides detailed information about TCP, UDP, DCCP, RAW, and Unix domain sockets. It has largely replaced the older netstat command due to its superior performance and more detailed output capabilities.
Whether you’re a system administrator troubleshooting network issues, a developer debugging application connections, or a security professional monitoring for suspicious activity, ss is an essential tool in your Linux toolkit.
This comprehensive guide covers everything from basic ss usage to advanced filtering and troubleshooting techniques.
Understanding Socket Statistics
What Are Sockets?
A socket is an endpoint for network communication. Each socket is identified by a combination of:
- Protocol (TCP, UDP, etc.)
- Local IP address and port
- Remote IP address and port
- Connection state
Sockets allow processes to communicate either locally or over a network. Understanding socket states helps diagnose connection issues and optimize network performance.
Why Socket Monitoring Matters
Monitoring socket statistics helps you:
- Identify Performance Issues: Detect connection bottlenecks and unusual connection patterns
- Troubleshoot Connectivity: Diagnose why applications can’t connect or communicate
- Security Monitoring: Identify unauthorized or suspicious network connections
- Resource Planning: Understand connection patterns for capacity planning
- Debug Applications: See what connections your applications are making
Basic ss Command Usage
Simple Socket Listing
Display all socket connections:
ss
This shows a list of all sockets with basic information:
- State
- Local address and port
- Remote address and port
- Process using the socket (if available)
Display Socket Summary
Get a quick overview of socket statistics:
ss -s
This displays:
- Total number of sockets
- TCP sockets by state
- UDP sockets
- Unix domain sockets
Showing Numeric Addresses
By default, ss attempts to resolve hostnames and service names. For faster results:
ss -n
This shows:
- IP addresses instead of hostnames
- Port numbers instead of service names (e.g., 80 instead of http)
Common Options
Protocol Options
-t: Show TCP sockets-u: Show UDP sockets-w: Show RAW sockets-x: Show Unix domain sockets-d: Show DCCP sockets
Socket State Options
-l: Show only listening sockets-a: Show all sockets (listening and connected)-e: Show extended information-o: Show timer information
Process Information
-p: Show process information using the socket
Filtering
state <state>: Filter by socket statedport <port>: Filter by destination portsport <port>: Filter by source port
Practical Examples
Viewing All TCP Connections
ss -t
Shows all TCP sockets in a concise format.
Viewing Listening Ports
ss -tln
This common command shows:
-t: TCP sockets-l: Listening only-n: Numeric output
Example output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
Showing Process Information
ss -tlnp
This shows which process is listening on each port:
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=5678,fd=6))
UDP Socket Information
ss -uln
Shows listening UDP sockets (DNS servers, etc.):
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 0.0.0.0:53 0.0.0.0:*
UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
Filtering by Connection State
Established Connections
ss -t state established
Shows all active TCP connections.
Time-Wait Connections
ss -t state time-wait
Useful for identifying connections stuck in TIME-WAIT state.
All TCP States
ss -t state all
Shows connections in all states, which helps understand connection lifecycle.
Common TCP socket states:
- ESTABLISHED: Active connection
- SYN-SENT: SYN sent, waiting for SYN+ACK
- SYN-RECV: SYN received, waiting for ACK
- FIN-WAIT-1: FIN sent, waiting for ACK
- FIN-WAIT-2: FIN received, waiting for FIN
- TIME-WAIT: Waiting after close
- CLOSE: Connection closed
- CLOSE-WAIT: Received FIN, waiting to close
- LAST-ACK: Waiting for final ACK
- LISTEN: Listening for connections
Filtering by Port
Connections to Specific Port
ss -t dport = :80
Shows all TCP connections to port 80 (HTTP).
Connections from Specific Port
ss -t sport = :443
Shows all TCP connections from port 443 (HTTPS).
Combined Filters
ss -t state established dport = :443
Shows established HTTPS connections.
Detailed Socket Information
ss -te
Shows extended information including:
- Interface information
- Socket options
- Marking information
Timer Information
ss -to
Shows timer information for each socket:
- Timer type (on, off, keepalive)
- Time until next timer event
IPv4 and IPv6
IPv4 Only
ss -4
IPv6 Only
ss -6
Shows only IPv6 sockets.
Advanced Filtering
Complex Filter Expressions
HTTP and HTTPS Connections
ss -t '( dport = :80 or dport = :443 )'
Shows all web traffic connections.
Connections to Specific Host
ss -t dst 192.168.1.100
Shows connections to 192.168.1.100.
Connections from Specific Subnet
ss -t src 192.168.1.0/24
Shows connections from the 192.168.1.0/24 subnet.
Using awk with ss
Extract specific information:
ss -t state established | awk '{print $5}'
Extract remote addresses from established connections.
Monitoring Connection Count
Count ESTABLISHED connections to a specific port:
ss -t state established dport = :80 | wc -l
This is useful for:
- Detecting potential DDoS attacks
- Monitoring server load
- Identifying unusual activity
Troubleshooting with ss
Identifying High Connection States
Many TIME-WAIT Connections
ss -ant | awk '{print $1}' | sort | uniq -c | sort -rn
This shows connection state distribution. High TIME-WAIT count might indicate:
- Many short-lived connections
- Need for connection tuning
- Possible optimization with keepalive settings
Many CLOSE-WAIT Connections
ss -t state close-wait
CLOSE-WAIT connections waiting to close might indicate:
- Application not closing connections properly
- Resource leaks
- Need for application debugging
Finding Listening Services
ss -tlnp | grep LISTEN
Quick way to see all listening services and their processes.
Detecting Suspicious Connections
External Connections on Local Ports
ss -tnp | grep ESTABLISHED
Review established connections for anything unusual.
Connections to Unauthorized IPs
ss -tn | grep -v "192.168\|10.\|172.16"
Find connections that aren’t from your private network ranges.
Debugging Application Issues
Check Application’s Connections
ss -tnp | grep <process_name>
See all connections made by a specific application.
Check Port Availability
ss -tln | grep :<port>
Verify if a port is already in use before starting a service.
Performance Monitoring
Summary Statistics
ss -s
Quick overview of socket states.
Real-Time Monitoring
watch -n 1 'ss -s'
Monitor socket statistics in real-time.
ss vs. netstat
While netstat was the traditional tool, ss provides significant advantages:
Performance
- ss is faster: Uses kernel netlink socket information directly
- Better for busy systems: Doesn’t block like netstat can
- Lower CPU usage: More efficient implementation
Information
- More detailed TCP states: Shows detailed state information
- Better filtering: More powerful filter expressions
- Process information: Easier to see which process owns each socket
Modern Support
- Active development: ss is actively maintained
- Replaces netstat: Most Linux distributions have deprecated netstat in favor of ss
Command Mapping
Replace netstat commands with ss equivalents:
| netstat | ss |
|---|---|
netstat -a |
ss -a |
netstat -ant |
ss -t -n |
netstat -ltnp |
ss -tlnp |
netstat -s |
ss -s |
netstat -i |
ss -i |
Common Use Cases
Web Server Administration
Monitor web server connections:
# Active connections
ss -s | grep TCP
# Established connections to web server
ss -t state established dport = :80
# Check for attacks
ss -t state syn-recv
Database Server Monitoring
# PostgreSQL
ss -t sport = :5432
# MySQL
ss -t sport = :3306
SSH Connection Tracking
# Current SSH sessions
ss -t state established dport = :22
# Failed SSH attempts
ss -t state error dport = :22
Load Balancer Health Checks
# Check backend connections
ss -t state established
Best Practices
- Use numeric flags (-n): Faster output, no DNS resolution delays
- Filter selectively: Don’t show more than needed
- Monitor states: Watch for abnormal state distributions
- Combine with other tools: Use ss with grep, awk, and other tools
- Set up alerts: Monitor for unusual connection patterns
- Regular auditing: Periodically review listening ports and connections
Security Considerations
Monitoring for Unauthorized Access
Regularly check for:
- Unexpected listening ports
- Connections to unknown IPs
- Unusual connection patterns
- Excessive failed connections
Restricting Socket Information
By default, seeing socket process information requires root access. Ensure:
- Only authorized users can see process details
- Monitor for privilege escalation attempts
- Review connection access logs
Conclusion
The ss command is an indispensable tool for Linux system administrators and network engineers. Its ability to provide detailed socket information quickly and efficiently makes it superior to older alternatives like netstat.
By mastering ss, you can effectively monitor network connections, troubleshoot connectivity issues, and maintain secure system operations. Remember to combine ss with other monitoring tools and logging systems for comprehensive network management.
References
- ss Man Page
- Linux ss Command Examples
- TTLsA: ss Replace netstat
- Red Hat: Using ss for Socket Statistics
Comments