Mastering Linux ss Command
The Linux ss
command is a powerful tool for network administrators that displays detailed socket statistics and monitors network connections.
Often seen as a modern replacement for the older netstat command, the Linux ss command provides quicker, more efficient insights into active TCP, UDP, and UNIX socket connections, helping users troubleshoot, monitor traffic, and optimize network performance.
With ss
command, Linux users can pinpoint active ports, filter by protocol, and even close specific connections, making it an essential utility for managing and securing network activities on Linux systems.
- Main Syntax of Linux ss command:
ss [options]
This tutorial covers practical examples to show you how you can use various options to customize the output to display specific types of sockets.
Prerequisites to Use ss Command in Linux
To start using ss command in Linux, your machine needs to meet all the below specifications:
- A Linux VPS running a compatible Linux distribution (e.g., Ubuntu, Debian, CentOS).
- A non-root user with
sudo
privileges. - Access to Terminal/Command line.
19 Practical Examples to Understand Linux ss Command
Let’s go through this guide to explore a variety of practical examples showcasing the capabilities of the Linux ss
command.
These examples will demonstrate how to effectively monitor and manage socket connections in a Linux environment, enabling you to optimize network performance and troubleshoot issues with ease.
1. List All Connections with Linux ss Command
The -a
option with the Linux ss
command displays all socket connections, including both listening and non-listening (established) sockets.
This is useful when you want a comprehensive view of all active connections and services, making it ideal for network audits or monitoring overall system connectivity.
- Syntax:
ss -a
OR
ss --all
- Example:
To list all connections for an application or service (let’s call it opera), you can simply use the following command:
ss -a
Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:56743 93.184.216.34:http (opera)
tcp LISTEN 0 5 0.0.0.0:80 *:* (opera)
udp UNCONN 0 0 127.0.0.1:53 *:* (opera)
ESTAB
shows established connections.
LISTEN
represents ports actively listening for connections.
UNCONN
indicates UDP sockets that are not currently connected.
Using -a
with ss
provides a full snapshot of both active and passive sockets, which is key for thorough network monitoring on a Linux system.
2. List Only Listening Sockets
The -l
option in the Linux ss
command filters the output to display only listening sockets.
This option helps identify which services are open and actively waiting for incoming connections, making it especially useful for network and security checks.
- Syntax:
ss -l
OR
ss --listen
- Example:
To view all sockets in a listening state, including those related to an application like opera, run:
ss -l
This will reveal only the ports that are open and ready to accept incoming connections. Here’s what the output might look like:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:80 *:* (opera)
tcp LISTEN 0 5 127.0.0.1:3306 *:* (opera)
udp UNCONN 0 0 0.0.0.0:68 *:* (opera)
tcp LISTEN
entries represent TCP ports actively waiting for connections.
udp UNCONN
shows UDP sockets, which are connectionless and not actively listening in the same way as TCP.
Using -l
with ss
helps you quickly see which ports are open to network traffic, a vital step in managing and securing network services on Linux.
3. List Only TCP Connections in Linux ss Command
The -t
option in the Linux ss
command filters results to show only TCP connections.
This is ideal for checking TCP-based services such as HTTP, SSH, and FTP, allowing you to focus solely on connections that use the TCP protocol.
- Syntax:
ss -t
OR
ss --tcp
- Example 1:
To list all active TCP connections, including those associated with a service like opera, simply use:
ss -t
This command will filter out any non-TCP connections and display only the active TCP sockets. Here’s a sample of what the output might look like:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:22 203.0.113.5:54321 (opera)
tcp ESTAB 0 0 192.168.1.10:80 198.51.100.23:61234 (opera)
tcp LISTEN 0 128 0.0.0.0:443 *:* (opera)
ESTAB
indicates established TCP connections, showing active communication.
LISTEN
represents TCP ports that are open and waiting for incoming connections.
Using -t
with ss
helps focus specifically on TCP traffic, making it an excellent option for troubleshooting, monitoring, or auditing TCP-based services in a Linux environment.
- Example 2:
Also, you can combine the -a
and -t
options with the Linux ss
command to view all TCP connections on the system, including both established and listening sockets.
This provides a complete overview of TCP activity, helping you see which ports are open, listening, or currently connected to remote systems.
ss -at
This command will display every TCP socket, whether it’s actively connected or simply waiting for connections. Here’s an example output:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:22 203.0.113.5:54321 (opera)
tcp LISTEN 0 128 0.0.0.0:443 *:* (opera)
tcp LISTEN 0 5 127.0.0.1:3306 *:* (opera)
ESTAB
shows established connections, highlighting active TCP sessions.
LISTEN
indicates ports waiting for incoming connections, such as port 443 for HTTPS.
Combining -a
and -t
in ss
gives a full view of TCP traffic, which is beneficial for network monitoring and ensuring all open ports are as expected on your Linux system.
4. List Only UDP Connections in Linux ss Command
The -u
option in the Linux ss
command filters the output to display only UDP connections.
Since UDP is a connectionless protocol often used for services like DNS and DHCP, this option helps you focus specifically on sockets using UDP, which helps manage and diagnose issues in connectionless services.
- Syntax:
ss -u
OR
ss --udp
- Example 1:
To list all active UDP sockets, run:
ss -u
This command focuses exclusively on UDP connections, filtering out any TCP activity for a more targeted view of UDP-based traffic.
Here’s an example of what the output might look like:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 192.168.1.10:68 *:* (opera)
udp UNCONN 0 0 127.0.0.1:123 *:* (opera)
udp ESTAB 0 0 10.0.0.5:514 10.0.0.10:514 (opera)
UNCONN
shows sockets that are not connected, typical for UDP as it doesn’t establish formal connections like TCP.
ESTAB
indicates an established UDP connection, which may occur in specific configurations like certain peer-to-peer applications.
The -u
option is an essential tool in ss
for network troubleshooting, allowing Linux users to quickly see and manage all UDP-based connections.
- Example 2:
Combining -a
and -u
with ss
allows Linux users to gain a complete view of all UDP traffic, whether it’s awaiting connections or actively exchanging data, offering valuable insights into UDP activity across the system.
To output a list of all UDP connections, use:
ss -au
This command will capture both actively communicating UDP sockets and those simply waiting for potential data exchanges.
Here’s a sample of what you might see:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 192.168.1.10:123 *:* (opera)
udp ESTAB 0 0 192.168.1.10:514 203.0.113.5:514 (opera)
udp UNCONN 0 0 127.0.0.1:53 *:* (opera)
UNCONN
shows sockets that are open but not connected, typical for services like DNS.
ESTAB
represents established UDP communication, which can occur with certain applications or configurations.
Using the -a
and -u
options together with the ss
command in Linux will show a complete list of all UDP sockets on the system, including both active and passive (unconnected) sockets.
- Example 3:
Using the -l
and -u
options together with the Linux ss
command allows you to display only the UDP sockets that are in a listening state.
To view all UDP sockets that are listening for incoming traffic, run:
ss -lu
This command filters out non-listening and non-UDP sockets, so you’re left with a focused list of all UDP ports waiting for incoming connections.
Here’s what the output might look like:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:53 *:* (opera)
udp UNCONN 0 0 127.0.0.1:123 *:* (opera)
udp UNCONN 0 0 192.168.1.10:67 *:* (opera)
UNCONN
shows that the UDP sockets are unconnected, which is standard for listening UDP ports.Ports like 53 (typically used by DNS) are actively awaiting UDP requests.
The -lu
combination is ideal for administrators needing to quickly verify all services listening on UDP, helping manage and secure network traffic specific to connectionless protocols.
5. List UNIX Socket Connections
The -x
option in the ss
command displays UNIX socket connections.
UNIX sockets allow local communication between processes on the same machine, making this option especially helpful for monitoring inter-process communication (IPC) or debugging local services that rely on UNIX sockets.
- Syntax:
ss -x
OR
ss --unix
- Example:
To view all UNIX sockets currently active on the system, use:
ss -x
This command will filter the output to show only UNIX domain sockets, allowing you to focus on local, non-network-based communication.
Here’s a sample output:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
unix STREAM 0 0 /var/run/dbus/system_bus_socket - (opera)
unix DGRAM 0 0 /run/systemd/journal/socket - (opera)
unix STREAM 0 0 @/tmp/.X11-unix/X0 - (opera)
STREAM
andDGRAM
represent the types of UNIX sockets: stream-oriented or datagram-oriented.Sockets like
/var/run/dbus/system_bus_socket
are crucial for IPC and often used by system services.
Using the -x
option with ss
helps Linux users manage and monitor UNIX sockets, providing insights into internal communication between system processes.
This can be especially valuable for socket monitoring and understanding local application behavior on Linux systems.
6. List RAW Socket Connections
The -w
option in the Linux ss
command lists raw socket connections, which are typically used for low-level network programming and protocols like ICMP (ping).
This option is particularly useful for monitoring raw IP traffic and can help with debugging network applications that operate at the packet level.
- Syntax:
ss -w
OR
ss --raw
- Example:
To view all active raw socket connections on the system, run:
ss -w
This command will filter to show only raw sockets, providing a focused view of low-level connections on your Linux system.
Here’s a sample output:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
raw UNCONN 0 0 *%eth0:icmp *:* (opera)
raw UNCONN 0 0 *%eth1:ipv6-icmp *:* (opera)
raw
represents raw socket connections, often tied to ICMP (ping) requests.The
%eth0
and%eth1
identifiers indicate the network interface associated with each raw socket.
Using the -w
option with ss is useful for Linux administrators looking to monitor network connections at a deeper level, providing insights into raw socket traffic that may not be visible in standard TCP or UDP listings.
This can be essential for advanced network diagnostics and socket monitoring in Linux.
7. Filter Connections by Destination Address
The dst
option in the Linux ss command allows you to filter the displayed connections by a specific destination IP address.
This option is ideal when you want to view only the connections to a particular host, helping you analyze outgoing traffic to that specific endpoint on your Linux system.
- Syntax:
ss dst <destination_address>
- Example 1:
To display all connections targeting the IP address 203.0.113.5
, use:
ss dst 203.0.113.5
This command filters the output to show only connections where the destination is 203.0.113.5
. Here’s what the output might look like:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:22 203.0.113.5:54321 (opera)
udp UNCONN 0 0 192.168.1.10:68 203.0.113.5:67 (opera)
- The
Peer Address
column displays the destination address203.0.113.5
, confirming that the connections are being filtered by the specified destination. - TCP and UDP entries indicate the protocol types for each connection targeting the destination.
The dst
option with ss
is highly useful for network monitoring, allowing Linux administrators to zero in on traffic heading to specific IP addresses, which can assist in tracking network interactions or investigating connections to critical systems.
This is a valuable feature for socket monitoring and connection analysis on Linux.
Example 2:
To filter connections by source address, you can use the src
option in the ss
command in Linux.
To display all connections originating from the IP address 192.168.1.10
, you can use:
ss src 192.168.1.10
This command filters the output to show only connections where the source is 192.168.1.10.
Here’s a sample of what the output might look like:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:22 203.0.113.5:54321 (opera)
udp UNCONN 0 0 192.168.1.10:68 203.0.113.5:67 (opera)
The
Local Address
column shows the source IP address192.168.1.10
, verifying that connections are filtered by the specified source.Both TCP and UDP connections originating from the source IP are displayed.
The src
option in ss
is an excellent choice for tracking connections initiated from specific IPs, aiding in monitoring network activity by source and providing detailed insights for network management and security analysis on Linux.
8. List Process Information with Connections
The -p
option in the Linux ss
command shows the process (PID) and application name associated with each connection.
This option is useful for identifying which applications are responsible for specific connections, providing a clear link between network activity and running processes.
- Syntax:
ss -p
- Example:
To display all connections along with their associated processes, you can use:
ss -p
This command will include process information alongside each connection entry, allowing you to see which programs use each socket.
Here’s an example output:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp ESTAB 0 0 192.168.1.10:22 203.0.113.5:54321 users:(("sshd",pid=1234,fd=3)) (opera)
tcp LISTEN 0 128 127.0.0.1:8080 *:* users:(("opera",pid=5678,fd=5))
The
Process
column shows the application name and PID, such as"sshd"
and"opera"
, associated with each socket.fd represents the file descriptor, which links each connection to a specific open file in the application.
The -p
option with ss
is a powerful tool for network troubleshooting and security audits on Linux.
It allows administrators to monitor network connections down to the application level, making it easier to manage and control network activity by specific processes.
9. List Socket Statistics
The -s
option in the Linux ss
command provides a summary of socket statistics.
This option is beneficial for quickly assessing the state of sockets on your Linux system, allowing administrators to see a high-level overview of various socket types and their statuses, such as TCP, UDP, and UNIX sockets.
- Syntax:
ss -s
- Example:
To get a concise summary of all socket statistics, run:
ss -s
This command outputs a summary table that helps you understand the distribution of different socket types and their states.
Here’s an example output:
Output
Total: 123 (kernel 123)
TCP: 45 (LISTEN 12, ESTAB 30, TIME-WAIT 3)
UDP: 15 (UNCONN 15)
RAW: 5 (UNCONN 5)
Total
indicates the total number of sockets monitored.TCP displays various TCP states, such as
LISTEN
,ESTAB
, andTIME-WAIT
.UDP shows the number of unconnected UDP sockets.
Using the -s
option with the Linux ss
command is an effective way to monitor network connections and socket activity in Linux, providing a quick snapshot of socket usage.
This capability is crucial for system administrators and network engineers when performing socket monitoring or diagnosing network performance issues on Linux systems.
10. Listing IPv4 and IPv6 Socket Connections
The Linux ss
command can be used to filter and display socket connections specifically for IPv4 or IPv6 addresses.
This is essential for network diagnostics and monitoring, allowing you to distinguish between different IP protocols and analyze traffic accordingly.
Syntax for Listing IPv4 Connections:
ss -4
- Example:
To list all active IPv4 socket connections, you can run:
ss -4
This command will return a list of all IPv4 connections, focusing on traffic using the IPv4 protocol.
Here’s an example output:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:22 203.0.113.5:54321
udp UNCONN 0 0 192.168.1.10:68 0.0.0.0:67
- Syntax for Listing IPv6 Connections:
ss -6
- Example:
To view all active IPv6 socket connections, execute:
ss -6
This command filters the output to show only IPv6 connections, making it easier to monitor IPv6 traffic on your network.
Here’s an example output:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 [2001:db8::1]:22 [2001:db8::2]:54321
udp UNCONN 0 0 [::1]:123 [::]:*
By using ss with the
-4
and-6
options, you can effectively monitor network connections in both IPv4 and IPv6 formats.
This capability is critical for modern network management, ensuring that both IP protocols are considered during socket monitoring and analysis on Linux systems.
These options are particularly useful for troubleshooting connectivity issues and assessing network performance, making them indispensable tools for system administrators.
11. Filtering Connections
The Linux ss
command allows users to filter socket connections based on specific TCP states.
This feature is useful for monitoring network health and understanding the status of connections, particularly in diagnosing issues related to specific TCP states.
- Syntax for Filtering by TCP State:
ss -t state <state>
- Example:
To filter and list connections that are currently in the ESTAB (established) state, you can use:
ss -t state ESTAB
This command outputs only those connections that are actively established, providing insight into the currently active sessions.
Here’s an example output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:22 203.0.113.5:54321
tcp ESTAB 0 0 192.168.1.10:80 203.0.113.6:54322
By focusing on TCP states with the Linux
ss
command, network administrators can effectively monitor and manage active connections, ensuring a responsive and healthy network environment.
- Syntax for Filtering by Port Number:
Another powerful filtering option in the ss command is the ability to filter connections by specific port numbers.
ss -t '( dport = :<port_number> )'
- Example:
ss -t '( dport = :80 )'
This command will list all connections where the destination port is 80, helping you monitor HTTP traffic. Here’s an example output:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:80 203.0.113.6:54322
tcp LISTEN 0 128 0.0.0.0:80 *:*
By using the Linux
ss
command to filter by TCP states or specific port numbers, Linux administrators can gain valuable insights into network activity.
These filtering capabilities are essential for effective socket monitoring, helping to troubleshoot issues and optimize performance across network services.
12. Resolving Hostnames
The -r
option in the ss
command is used to resolve the numerical addresses to their corresponding hostnames, making it easier to identify the endpoints of network connections.
This is particularly useful for socket monitoring in Linux, as it provides more readable output.
- Syntax:
ss -r
OR
ss --resolve
- Example:
To monitor network connections and resolve addresses to hostnames, you can use the following command:
ss -t -r
In this example, the -t
flag is included to display only TCP connections, and the -r
option ensures that numerical IP addresses are replaced with their corresponding hostnames.
Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 opera.example.com:53000 server.example.net:80
LISTEN 0 128 0.0.0.0:22 *:*
In this output, you can see that the
Local Address
showsopera.example.com
, demonstrating how the-r
option has resolved the numerical address to a hostname, enhancing the clarity of your network monitoring efforts with the ss command in Linux.
13. List Extended Socket Information
The -e
option in the Linux ss
command allows you to display extended information about each socket, including detailed statistics such as the connection’s status and additional protocol-specific information.
This is particularly useful for in-depth socket monitoring in Linux.
- Syntax:
ss -e
OR
ss --extended
- Example:
To view extended socket information along with the current state of each socket, you can use the following command:
ss -t -e
In this example, the -t
flag specifies that only TCP sockets should be displayed, while the -e
option provides additional details.
Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 opera.example.com:53000 server.example.net:80 users:(("apache2",pid=1234,fd=5))
LISTEN 0 128 0.0.0.0:22 *:* users:(("sshd",pid=5678,fd=3))
In this output, the Process
column reveals information about the processes associated with each socket, making it easier to monitor network connections with the ss
command in Linux.
This level of detail is valuable for troubleshooting and analyzing network performance.
14. List Monitoring Memory Usage
The -m
option in the ss
command enables you to display memory usage statistics for the sockets.
This feature is particularly useful for socket monitoring in Linux, as it helps identify memory consumption related to network connections.
- Syntax:
ss -m
OR
ss --memory
- Example:
To monitor memory usage along with the socket information, you can use the following command:
ss -t -m
In this example, the -t
flag filters the output to show only TCP sockets, while the -m
option provides detailed memory statistics for each socket.
Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port Memory
ESTAB 0 0 opera.example.com:53000 server.example.net:80 2048 bytes
LISTEN 0 128 0.0.0.0:22 *:* 1024 bytes
In this output, the
Memory
column displays the memory usage for each socket, illustrating how you can effectively use thess
command in Linux to monitor network connections and their associated memory consumption.
This information is essential for diagnosing performance issues and optimizing resource allocation on your server.
15. Displaying Timer Information
The -o
option in the ss
command allows you to display timer information related to each socket, such as the time since the socket was last established or how long it has been in a particular state.
This is valuable for socket monitoring in Linux, as it provides insights into the duration of connections.
- Syntax:
ss -o
OR
ss --options
- Example:
Use the following command to monitor TCP sockets along with their timer information:
ss -t -o
In this example, the -t
flag filters the output to show only TCP sockets, while the -o
option adds timer details for each socket.
Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port Timer
ESTAB 0 0 opera.example.com:53000 server.example.net:80 timer: 12345
LISTEN 0 128 0.0.0.0:22 *:* timer: 0
In this output, the
Timer
column indicates how long each socket has been in its current state, enabling you to monitor network connections with thess
command in Linux more effectively.
Understanding socket timers can assist in troubleshooting issues related to connection persistence and timeouts, enhancing your overall network management strategy.
16. Displaying Socket Protocols
The -f
option in the ss
command is used to display the protocol family for each socket, such as IPv4, IPv6, and UNIX.
This feature is essential for socket monitoring in Linux, as it helps you identify the types of connections established on your system.
- Syntax:
ss -f FAMILY
OR
ss --family FAMILY
- Example:
To view the protocol family along with socket information, run:
ss -t -f
In this example, the -t
flag filters the output to show only TCP sockets, while the -f
option includes the protocol family in the output.
Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port Protocol
ESTAB 0 0 opera.example.com:53000 server.example.net:80 inet
LISTEN 0 128 0.0.0.0:22 *:* inet
17. Terminating Sockets
The -k
or --kill
option in the ss command allows you to terminate a specific socket connection by its PID (Process ID).
This feature is particularly useful for socket monitoring in Linux, as it provides a straightforward method to manage and control network connections.
- Syntax:
ss -k
OR
ss --kill
- Example:
To kill a specific TCP socket connection, you can use the following command along with the PID of the socket you want to terminate
ss -t -k
In this example, the -t
flag displays only TCP sockets, and the -k
option enables the termination of selected socket connections.
Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 opera.example.com:53000 server.example.net:80 users:(("apache2",pid=1234,fd=5))
In this output, you would identify the process you wish to terminate (e.g.,
apache2
with PID 1234). To kill this socket, you would issue:
ss -k -p 1234
This command would terminate the specified socket connection, allowing you to effectively manage your network connections using the ss
command in Linux.
This capability is crucial for troubleshooting issues where a connection may be stuck or unresponsive, enabling you to maintain optimal network performance.
For more information on terminating processes in Linux, check out our guide on Kill Process in Linux to explore different methods for managing processes by their PID.
18. Hiding Connections
The -h
or --hide
option in the ss
command allows you to hide certain types of connections, making it easier to focus on specific sockets or states.
This feature is useful for socket monitoring in Linux, as it helps streamline the output by excluding unnecessary information.
- Syntax:
ss -h
OR
ss --hide
- Example:
Run the command below to hide specific socket connections:
ss -t -h
In this example, the -t
flag filters the output to show only TCP sockets, while the -h
option hides connections that are not of interest, such as those that are in a specific state.
Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 opera.example.com:53000 server.example.net:80
In this output, the non-relevant connections are excluded, allowing you to focus on the active TCP connections that matter most.
By using the ss
command in Linux with the -h
option, you can effectively monitor network connections while maintaining a clean and concise output, which is crucial for efficient network management and troubleshooting.
19. Displaying Numerical Addresses
The -n
option in the Linux ss
command instructs the command to display numerical addresses and port numbers instead of resolving them to their corresponding hostnames.
This can speed up the output, making it useful for socket monitoring in Linux, especially when you’re primarily interested in the IP addresses.
- Syntax:
ss -n
- Example:
Run the command below to view TCP sockets with numerical addresses:
ss -t -n
In this example, the -t
flag filters the output to show only TCP sockets, while the -n
option prevents hostname resolution.
Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.5:53000 93.184.216.34:80
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
In this output, the
Local Address
andPeer Address
columns display IP addresses and port numbers without hostname resolution, providing a clear view of the active connections.
By using the ss command in Linux with the -n
option, you can efficiently monitor network connections while reducing the time spent on DNS lookups, which is especially beneficial for environments with many connections or high network activity.
How to Check Man Pages and List All Commands for ss Command in Linux
To access detailed information about the Linux ss
command and its various options, you can utilize the man pages in Linux.
This resource provides comprehensive documentation on command usage, including syntax, options, and examples, making it an invaluable tool for both beginners and experienced users.
- To view the man page for ss, simply open your terminal and type:
man ss
This command displays the full manual for the ss command, including explanations of all available options and examples of how to use them effectively.
- If you’re interested in exploring all the available commands that can be used with Linux
ss
command, you can list them using the following command:
ss --help
This command provides a quick summary of the command’s usage, including the primary options and their descriptions, allowing you to get a fast overview of what ss
can do without diving into the full man page.
Output
Usage: ss [ OPTIONS ]
-h, --help show this help message
-V, --version show version
-t, --tcp display TCP sockets
-u, --udp display UDP sockets
-l, --listening display listening sockets
-s, --summary display socket statistics
...
By checking the man pages and using the --help
option, you can gain a deeper understanding of the ss command and its capabilities.
Linux ss Command Options
Let’s have a glance at a comprehensive table for Linux ss
command options:
Option | Description |
---|---|
-a , --all | Displays all socket connections, including both listening and non-listening sockets. |
-l , --listening | Shows only listening sockets, ideal for identifying open ports waiting for connections. |
-t , --tcp | Filters the output to display only TCP connections. |
-u , --udp | Filters the output to display only UDP connections. |
-x , --unix | Displays UNIX domain sockets. |
-w , --raw | Displays raw sockets. |
--dst | Filters the output to show sockets connected to the specified destination address. |
-p , --process | Shows the process ID (PID) and program name associated with each socket. |
-s , --summary | Provides a summary of socket usage, displaying counts of each socket type. |
-4 , --ipv4 | Filters the output to display only IPv4 sockets. |
-6 , --ipv6 | Filters the output to display only IPv6 sockets. |
--state | Filters output by specified connection states (e.g., ESTAB, LISTEN). |
-r , --route | Displays routing information for sockets, useful for analyzing network routes. |
-e , --extended | Provides extended output, including additional information such as socket queue sizes. |
-m , --memory | Displays memory usage information for sockets. |
-o , --options | Shows socket options and settings. |
-f , --family | Filters output by the specified address family (e.g., inet, inet6). |
-k , --kill
| Allows you to kill a socket connection associated with a process. |
-h , --help | Displays help information about the ss command and its options. |
--hide | Hides specified sockets from the output. |
-n , --numeric | Displays numerical addresses instead of resolving hostnames, speeding up the output. |
Comparison of netstat and ss Commands in Linux
The following table provides a comparison between the netstat
and ss
commands, highlighting their key features, performance, and usage in network monitoring:
Feature | netstat | ss | Description |
---|---|---|---|
Speed | Slower | Faster | ss is generally quicker in retrieving socket information. |
Detail of Information | Basic | More detailed | ss provides more granular details about socket connections. |
Protocol Support | IPv4, IPv6 | IPv4, IPv6, UNIX | ss supports UNIX sockets in addition to IPv4 and IPv6. |
Filtering Capabilities | Limited | Extensive | ss offers advanced filtering options for more precise results. |
Recommended Usage | Legacy | Preferred | ss is recommended for modern socket monitoring tasks. |
Example Command | netstat -tuln | ss -tuln | Commands to display listening sockets and their details. |
Why use ss instead of netstat?
While netstat
is a classic tool, the Linux ss
command is faster and more efficient, as it pulls data directly from the kernel, reducing overhead.
The ss
command also supports more advanced filtering options, which provide better control over the output.
How to filter connections by protocol with ss?
You can use specific options to filter connections by protocol.
For example, use ss -t
for TCP connections, ss -u
for UDP, and ss -x
for UNIX sockets.
This filtering makes it easier to focus on specific protocols for targeted troubleshooting.
What does the output of the ss command mean?
The output of the Linux ss
command provides several columns, including Netid
, State
, Recv-Q
, Send-Q
, Local Address:Port,
and Peer Address:Port
.
Understanding these fields helps you analyze the status of each connection, such as whether it is established (ESTAB) or listening (LISTEN).
Why does ss show some addresses as *:*?
The *:*
symbol in the ss command output indicates that a socket is listening on all available IP addresses for the specified port.
This is common for services that are open to all network interfaces.
Why does the Linux ss command not show any output?
If the Linux ss command returns no output, it could be due to several reasons: there may be no active connections at the moment, or you may not have the necessary permissions to view certain socket information.
Ensure you are using the command with appropriate privileges, possibly with sudo.
How to save the ss command output to a file?
You can save the output by redirecting it to a file. For example, use ss -a > ss_output.txt
to save all connections to a file named ss_output.txt
, making it easy to review or share the data.
Conclusion
The Linux ss
command stands as an essential utility for any Linux user or network administrator, offering powerful capabilities to monitor, analyze, and manage socket connections efficiently.
From checking active TCP and UDP connections to filtering by protocol and inspecting specific states, the ss
command allows users to keep a close eye on network activities and troubleshoot issues as they arise.
This article has walked you through 19 practical examples of using the Linux ss
command, illustrating how to utilize its diverse options to customize and optimize network visibility.
With these examples, you’re now equipped to use ss effectively, ensuring secure and well-managed network environments on your Linux systems.