Mastering Linux ss Command with Practical Examples

Mastering Linux ss Command

The Linux ss command is a powerful tool for network administrators that displays detailed socket statistics and monitors network connections.

Often seen as a modern replacement for the older netstat command, the Linux ss command provides quicker, more efficient insights into active TCP, UDP, and UNIX socket connections, helping users troubleshoot, monitor traffic, and optimize network performance.

With ss command, Linux users can pinpoint active ports, filter by protocol, and even close specific connections, making it an essential utility for managing and securing network activities on Linux systems.

  • Main Syntax of Linux ss command:
ss [options]

This tutorial covers practical examples to show you how you can use various options to customize the output to display specific types of sockets.

Prerequisites to Use ss Command in Linux

To start using ss command in Linux, your machine needs to meet all the below specifications:

  • A Linux VPS running a compatible Linux distribution (e.g., Ubuntu, Debian, CentOS).
  • A non-root user with sudo privileges.
  • Access to Terminal/Command line.

19 Practical Examples to Understand Linux ss Command

Let’s go through this guide to explore a variety of practical examples showcasing the capabilities of the Linux ss command.

These examples will demonstrate how to effectively monitor and manage socket connections in a Linux environment, enabling you to optimize network performance and troubleshoot issues with ease.

1. List All Connections with Linux ss Command

The -a option with the Linux ss command displays all socket connections, including both listening and non-listening (established) sockets.

This is useful when you want a comprehensive view of all active connections and services, making it ideal for network audits or monitoring overall system connectivity.

  • Syntax:
ss -a

OR

ss --all
  • Example:

To list all connections for an application or service (let’s call it opera), you can simply use the following command:

ss -a

Output:

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            192.168.1.10:56743       93.184.216.34:http       (opera)
tcp        LISTEN     0           5            0.0.0.0:80               *:*                     (opera)
udp        UNCONN     0           0            127.0.0.1:53             *:*                     (opera)

ESTAB shows established connections.

LISTEN represents ports actively listening for connections.

UNCONN indicates UDP sockets that are not currently connected.

Using -a with ss provides a full snapshot of both active and passive sockets, which is key for thorough network monitoring on a Linux system.

2. List Only Listening Sockets

The -l option in the Linux ss command filters the output to display only listening sockets.

This option helps identify which services are open and actively waiting for incoming connections, making it especially useful for network and security checks.

  • Syntax:
ss -l

OR

ss --listen
  • Example:

To view all sockets in a listening state, including those related to an application like opera, run:

ss -l

This will reveal only the ports that are open and ready to accept incoming connections. Here’s what the output might look like:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        LISTEN     0           128          0.0.0.0:80              *:*                     (opera)
tcp        LISTEN     0           5            127.0.0.1:3306          *:*                     (opera)
udp        UNCONN     0           0            0.0.0.0:68              *:*                     (opera)

tcp LISTEN entries represent TCP ports actively waiting for connections.

udp UNCONN shows UDP sockets, which are connectionless and not actively listening in the same way as TCP.

Using -l with ss helps you quickly see which ports are open to network traffic, a vital step in managing and securing network services on Linux.

3. List Only TCP Connections in Linux ss Command

The -t option in the Linux ss command filters results to show only TCP connections.

This is ideal for checking TCP-based services such as HTTP, SSH, and FTP, allowing you to focus solely on connections that use the TCP protocol.

  • Syntax:
ss -t

OR

ss --tcp
  • Example 1:

To list all active TCP connections, including those associated with a service like opera, simply use:

ss -t

This command will filter out any non-TCP connections and display only the active TCP sockets. Here’s a sample of what the output might look like:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            192.168.1.10:22          203.0.113.5:54321       (opera)
tcp        ESTAB      0           0            192.168.1.10:80          198.51.100.23:61234     (opera)
tcp        LISTEN     0           128          0.0.0.0:443              *:*                     (opera)

ESTAB indicates established TCP connections, showing active communication.

LISTEN represents TCP ports that are open and waiting for incoming connections.

Using -t with ss helps focus specifically on TCP traffic, making it an excellent option for troubleshooting, monitoring, or auditing TCP-based services in a Linux environment.

  • Example 2:

Also, you can combine the -a and -t options with the Linux ss command to view all TCP connections on the system, including both established and listening sockets.

This provides a complete overview of TCP activity, helping you see which ports are open, listening, or currently connected to remote systems.

ss -at

This command will display every TCP socket, whether it’s actively connected or simply waiting for connections. Here’s an example output:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            192.168.1.10:22          203.0.113.5:54321       (opera)
tcp        LISTEN     0           128          0.0.0.0:443              *:*                     (opera)
tcp        LISTEN     0           5            127.0.0.1:3306           *:*                     (opera)

ESTAB shows established connections, highlighting active TCP sessions.

LISTEN indicates ports waiting for incoming connections, such as port 443 for HTTPS.

Combining -a and -t in ss gives a full view of TCP traffic, which is beneficial for network monitoring and ensuring all open ports are as expected on your Linux system.

4. List Only UDP Connections in Linux ss Command

The -u option in the Linux ss command filters the output to display only UDP connections.

Since UDP is a connectionless protocol often used for services like DNS and DHCP, this option helps you focus specifically on sockets using UDP, which helps manage and diagnose issues in connectionless services.

  • Syntax:
ss -u

OR

ss --udp
  • Example 1:

To list all active UDP sockets, run:

ss -u

This command focuses exclusively on UDP connections, filtering out any TCP activity for a more targeted view of UDP-based traffic.

Here’s an example of what the output might look like:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
udp        UNCONN     0           0            192.168.1.10:68          *:*                     (opera)
udp        UNCONN     0           0            127.0.0.1:123            *:*                     (opera)
udp        ESTAB      0           0            10.0.0.5:514             10.0.0.10:514           (opera)

UNCONN shows sockets that are not connected, typical for UDP as it doesn’t establish formal connections like TCP.

ESTAB indicates an established UDP connection, which may occur in specific configurations like certain peer-to-peer applications.

The -u option is an essential tool in ss for network troubleshooting, allowing Linux users to quickly see and manage all UDP-based connections.

  • Example 2:

Combining -a and -u with ss allows Linux users to gain a complete view of all UDP traffic, whether it’s awaiting connections or actively exchanging data, offering valuable insights into UDP activity across the system.

To output a list of all UDP connections, use:

ss -au

This command will capture both actively communicating UDP sockets and those simply waiting for potential data exchanges.

Here’s a sample of what you might see:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
udp        UNCONN     0           0            192.168.1.10:123         *:*                     (opera)
udp        ESTAB      0           0            192.168.1.10:514         203.0.113.5:514         (opera)
udp        UNCONN     0           0            127.0.0.1:53             *:*                     (opera)

UNCONN shows sockets that are open but not connected, typical for services like DNS.

ESTAB represents established UDP communication, which can occur with certain applications or configurations.

Using the -a and -u options together with the ss command in Linux will show a complete list of all UDP sockets on the system, including both active and passive (unconnected) sockets.

  • Example 3:

Using the -l and -u options together with the Linux ss command allows you to display only the UDP sockets that are in a listening state.

To view all UDP sockets that are listening for incoming traffic, run:

ss -lu

This command filters out non-listening and non-UDP sockets, so you’re left with a focused list of all UDP ports waiting for incoming connections.

Here’s what the output might look like:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
udp        UNCONN     0           0            0.0.0.0:53              *:*                     (opera)
udp        UNCONN     0           0            127.0.0.1:123            *:*                     (opera)
udp        UNCONN     0           0            192.168.1.10:67          *:*                     (opera)

UNCONN shows that the UDP sockets are unconnected, which is standard for listening UDP ports.

Ports like 53 (typically used by DNS) are actively awaiting UDP requests.

The -lu combination is ideal for administrators needing to quickly verify all services listening on UDP, helping manage and secure network traffic specific to connectionless protocols.

5. List UNIX Socket Connections

The -x option in the ss command displays UNIX socket connections.

UNIX sockets allow local communication between processes on the same machine, making this option especially helpful for monitoring inter-process communication (IPC) or debugging local services that rely on UNIX sockets.

  • Syntax:
ss -x

OR

ss --unix
  • Example:

To view all UNIX sockets currently active on the system, use:

ss -x

This command will filter the output to show only UNIX domain sockets, allowing you to focus on local, non-network-based communication.

Here’s a sample output:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
unix       STREAM     0           0            /var/run/dbus/system_bus_socket  -               (opera)
unix       DGRAM      0           0            /run/systemd/journal/socket     -                 (opera)
unix       STREAM     0           0            @/tmp/.X11-unix/X0               -               (opera)

STREAM and DGRAM represent the types of UNIX sockets: stream-oriented or datagram-oriented.

Sockets like /var/run/dbus/system_bus_socket are crucial for IPC and often used by system services.

Using the -x option with ss helps Linux users manage and monitor UNIX sockets, providing insights into internal communication between system processes.

This can be especially valuable for socket monitoring and understanding local application behavior on Linux systems.

6. List RAW Socket Connections

The -w option in the Linux ss command lists raw socket connections, which are typically used for low-level network programming and protocols like ICMP (ping).

This option is particularly useful for monitoring raw IP traffic and can help with debugging network applications that operate at the packet level.

  • Syntax:
ss -w

OR

ss --raw
  • Example:

To view all active raw socket connections on the system, run:

ss -w

This command will filter to show only raw sockets, providing a focused view of low-level connections on your Linux system.

Here’s a sample output:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
raw        UNCONN     0           0            *%eth0:icmp              *:*                     (opera)
raw        UNCONN     0           0            *%eth1:ipv6-icmp         *:*                     (opera)

raw represents raw socket connections, often tied to ICMP (ping) requests.

The %eth0 and %eth1 identifiers indicate the network interface associated with each raw socket.

Using the -w option with ss is useful for Linux administrators looking to monitor network connections at a deeper level, providing insights into raw socket traffic that may not be visible in standard TCP or UDP listings.

This can be essential for advanced network diagnostics and socket monitoring in Linux.

7. Filter Connections by Destination Address

The dst option in the Linux ss command allows you to filter the displayed connections by a specific destination IP address.

This option is ideal when you want to view only the connections to a particular host, helping you analyze outgoing traffic to that specific endpoint on your Linux system.

  • Syntax:
ss dst <destination_address>
  • Example 1:

To display all connections targeting the IP address 203.0.113.5, use:

ss dst 203.0.113.5

This command filters the output to show only connections where the destination is 203.0.113.5. Here’s what the output might look like:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            192.168.1.10:22          203.0.113.5:54321       (opera)
udp        UNCONN     0           0            192.168.1.10:68          203.0.113.5:67          (opera)
  • The Peer Address column displays the destination address 203.0.113.5, confirming that the connections are being filtered by the specified destination.
  • TCP and UDP entries indicate the protocol types for each connection targeting the destination.

The dst option with ss is highly useful for network monitoring, allowing Linux administrators to zero in on traffic heading to specific IP addresses, which can assist in tracking network interactions or investigating connections to critical systems.

This is a valuable feature for socket monitoring and connection analysis on Linux.

Example 2:

To filter connections by source address, you can use the src option in the ss command in Linux.

To display all connections originating from the IP address 192.168.1.10, you can use:

ss src 192.168.1.10

This command filters the output to show only connections where the source is 192.168.1.10.

Here’s a sample of what the output might look like:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            192.168.1.10:22          203.0.113.5:54321       (opera)
udp        UNCONN     0           0            192.168.1.10:68          203.0.113.5:67          (opera)

The Local Address column shows the source IP address 192.168.1.10, verifying that connections are filtered by the specified source.

Both TCP and UDP connections originating from the source IP are displayed.

The src option in ss is an excellent choice for tracking connections initiated from specific IPs, aiding in monitoring network activity by source and providing detailed insights for network management and security analysis on Linux.

8. List Process Information with Connections

The -p option in the Linux ss command shows the process (PID) and application name associated with each connection.

This option is useful for identifying which applications are responsible for specific connections, providing a clear link between network activity and running processes.

  • Syntax:
ss -p
  • Example:

To display all connections along with their associated processes, you can use:

ss -p

This command will include process information alongside each connection entry, allowing you to see which programs use each socket.

Here’s an example output:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port       Process
tcp        ESTAB      0           0            192.168.1.10:22          203.0.113.5:54321       users:(("sshd",pid=1234,fd=3))   (opera)
tcp        LISTEN     0           128          127.0.0.1:8080           *:*                     users:(("opera",pid=5678,fd=5))

The Process column shows the application name and PID, such as "sshd" and "opera", associated with each socket.

fd represents the file descriptor, which links each connection to a specific open file in the application.

The -p option with ss is a powerful tool for network troubleshooting and security audits on Linux.

It allows administrators to monitor network connections down to the application level, making it easier to manage and control network activity by specific processes.

9. List Socket Statistics

The -s option in the Linux ss command provides a summary of socket statistics.

This option is beneficial for quickly assessing the state of sockets on your Linux system, allowing administrators to see a high-level overview of various socket types and their statuses, such as TCP, UDP, and UNIX sockets.

  • Syntax:
ss -s
  • Example:

To get a concise summary of all socket statistics, run:

ss -s

This command outputs a summary table that helps you understand the distribution of different socket types and their states.

Here’s an example output:

Output

Total: 123 (kernel 123)
TCP:   45 (LISTEN 12, ESTAB 30, TIME-WAIT 3)
UDP:   15 (UNCONN 15)
RAW:   5 (UNCONN 5)

Total indicates the total number of sockets monitored.

TCP displays various TCP states, such as LISTEN, ESTAB, and TIME-WAIT.

UDP shows the number of unconnected UDP sockets.

Using the -s option with the Linux ss command is an effective way to monitor network connections and socket activity in Linux, providing a quick snapshot of socket usage.

This capability is crucial for system administrators and network engineers when performing socket monitoring or diagnosing network performance issues on Linux systems.

10. Listing IPv4 and IPv6 Socket Connections

The Linux ss command can be used to filter and display socket connections specifically for IPv4 or IPv6 addresses.

This is essential for network diagnostics and monitoring, allowing you to distinguish between different IP protocols and analyze traffic accordingly.

Syntax for Listing IPv4 Connections:

ss -4
  • Example:

To list all active IPv4 socket connections, you can run:

ss -4

This command will return a list of all IPv4 connections, focusing on traffic using the IPv4 protocol.

Here’s an example output:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            192.168.1.10:22          203.0.113.5:54321       
udp        UNCONN     0           0            192.168.1.10:68          0.0.0.0:67
  • Syntax for Listing IPv6 Connections:
ss -6
  • Example:

To view all active IPv6 socket connections, execute:

ss -6

This command filters the output to show only IPv6 connections, making it easier to monitor IPv6 traffic on your network.

Here’s an example output:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            [2001:db8::1]:22          [2001:db8::2]:54321     
udp        UNCONN     0           0            [::1]:123                [::]:*      

By using ss with the -4 and -6 options, you can effectively monitor network connections in both IPv4 and IPv6 formats.

This capability is critical for modern network management, ensuring that both IP protocols are considered during socket monitoring and analysis on Linux systems.

These options are particularly useful for troubleshooting connectivity issues and assessing network performance, making them indispensable tools for system administrators.

11. Filtering Connections

The Linux ss command allows users to filter socket connections based on specific TCP states.

This feature is useful for monitoring network health and understanding the status of connections, particularly in diagnosing issues related to specific TCP states.

  • Syntax for Filtering by TCP State:
ss -t state <state>
  • Example:

To filter and list connections that are currently in the ESTAB (established) state, you can use:

ss -t state ESTAB

This command outputs only those connections that are actively established, providing insight into the currently active sessions.

Here’s an example output:

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            192.168.1.10:22          203.0.113.5:54321       
tcp        ESTAB      0           0            192.168.1.10:80           203.0.113.6:54322

By focusing on TCP states with the Linux ss command, network administrators can effectively monitor and manage active connections, ensuring a responsive and healthy network environment.

  • Syntax for Filtering by Port Number:

Another powerful filtering option in the ss command is the ability to filter connections by specific port numbers.

ss -t '( dport = :<port_number> )'
  • Example:
ss -t '( dport = :80 )'

This command will list all connections where the destination port is 80, helping you monitor HTTP traffic. Here’s an example output:

Output

Netid      State      Recv-Q      Send-Q       Local Address:Port       Peer Address:Port      
tcp        ESTAB      0           0            192.168.1.10:80           203.0.113.6:54322      
tcp        LISTEN     0           128          0.0.0.0:80                 *:*                 

By using the Linux ss command to filter by TCP states or specific port numbers, Linux administrators can gain valuable insights into network activity.

These filtering capabilities are essential for effective socket monitoring, helping to troubleshoot issues and optimize performance across network services.

12. Resolving Hostnames

The -r option in the ss command is used to resolve the numerical addresses to their corresponding hostnames, making it easier to identify the endpoints of network connections.

This is particularly useful for socket monitoring in Linux, as it provides more readable output.

  • Syntax:
ss -r

OR

ss --resolve
  • Example:

To monitor network connections and resolve addresses to hostnames, you can use the following command:

ss -t -r

In this example, the -t flag is included to display only TCP connections, and the -r option ensures that numerical IP addresses are replaced with their corresponding hostnames.

Output

State      Recv-Q Send-Q   Local Address:Port      Peer Address:Port
ESTAB      0      0      opera.example.com:53000   server.example.net:80
LISTEN     0      128    0.0.0.0:22               *:*

In this output, you can see that the Local Address shows opera.example.com, demonstrating how the -r option has resolved the numerical address to a hostname, enhancing the clarity of your network monitoring efforts with the ss command in Linux.

13. List Extended Socket Information

The -e option in the Linux ss command allows you to display extended information about each socket, including detailed statistics such as the connection’s status and additional protocol-specific information.

This is particularly useful for in-depth socket monitoring in Linux.

  • Syntax:
ss -e

OR

ss --extended
  • Example:

To view extended socket information along with the current state of each socket, you can use the following command:

ss -t -e

In this example, the -t flag specifies that only TCP sockets should be displayed, while the -e option provides additional details.

Output

State       Recv-Q Send-Q     Local Address:Port         Peer Address:Port       Process
ESTAB       0      0          opera.example.com:53000     server.example.net:80   users:(("apache2",pid=1234,fd=5))
LISTEN      0      128        0.0.0.0:22                 *:*                     users:(("sshd",pid=5678,fd=3))

In this output, the Process column reveals information about the processes associated with each socket, making it easier to monitor network connections with the ss command in Linux.

This level of detail is valuable for troubleshooting and analyzing network performance.

14. List Monitoring Memory Usage

The -m option in the ss command enables you to display memory usage statistics for the sockets.

This feature is particularly useful for socket monitoring in Linux, as it helps identify memory consumption related to network connections.

  • Syntax:
ss -m

OR

ss --memory
  • Example:

To monitor memory usage along with the socket information, you can use the following command:

ss -t -m

In this example, the -t flag filters the output to show only TCP sockets, while the -m option provides detailed memory statistics for each socket.

Output

State      Recv-Q Send-Q     Local Address:Port         Peer Address:Port       Memory
ESTAB      0      0          opera.example.com:53000     server.example.net:80   2048 bytes
LISTEN     0      128        0.0.0.0:22                 *:*                     1024 bytes

In this output, the Memory column displays the memory usage for each socket, illustrating how you can effectively use the ss command in Linux to monitor network connections and their associated memory consumption.

This information is essential for diagnosing performance issues and optimizing resource allocation on your server.

15. Displaying Timer Information

The -o option in the ss command allows you to display timer information related to each socket, such as the time since the socket was last established or how long it has been in a particular state.

This is valuable for socket monitoring in Linux, as it provides insights into the duration of connections.

  • Syntax:
ss -o

OR

ss --options
  • Example:

Use the following command to monitor TCP sockets along with their timer information:

ss -t -o

In this example, the -t flag filters the output to show only TCP sockets, while the -o option adds timer details for each socket.

Output

State      Recv-Q Send-Q     Local Address:Port         Peer Address:Port       Timer
ESTAB      0      0          opera.example.com:53000     server.example.net:80   timer: 12345
LISTEN     0      128        0.0.0.0:22                 *:*                     timer: 0

In this output, the Timer column indicates how long each socket has been in its current state, enabling you to monitor network connections with the ss command in Linux more effectively.

Understanding socket timers can assist in troubleshooting issues related to connection persistence and timeouts, enhancing your overall network management strategy.

16. Displaying Socket Protocols

The -f option in the ss command is used to display the protocol family for each socket, such as IPv4, IPv6, and UNIX.

This feature is essential for socket monitoring in Linux, as it helps you identify the types of connections established on your system.

  • Syntax:
ss -f FAMILY

OR

ss --family FAMILY
  • Example:

To view the protocol family along with socket information, run:

ss -t -f

In this example, the -t flag filters the output to show only TCP sockets, while the -f option includes the protocol family in the output.

Output

State      Recv-Q Send-Q     Local Address:Port         Peer Address:Port       Protocol
ESTAB      0      0          opera.example.com:53000     server.example.net:80   inet
LISTEN     0      128        0.0.0.0:22                 *:*                     inet

17. Terminating Sockets

The -k or --kill option in the ss command allows you to terminate a specific socket connection by its PID (Process ID).

This feature is particularly useful for socket monitoring in Linux, as it provides a straightforward method to manage and control network connections.

  • Syntax:
ss -k

OR

ss --kill
  • Example:

To kill a specific TCP socket connection, you can use the following command along with the PID of the socket you want to terminate

ss -t -k

In this example, the -t flag displays only TCP sockets, and the -k option enables the termination of selected socket connections.

Output

State      Recv-Q Send-Q     Local Address:Port         Peer Address:Port       Process
ESTAB      0      0          opera.example.com:53000     server.example.net:80   users:(("apache2",pid=1234,fd=5))

In this output, you would identify the process you wish to terminate (e.g., apache2 with PID 1234). To kill this socket, you would issue:

ss -k -p 1234

This command would terminate the specified socket connection, allowing you to effectively manage your network connections using the ss command in Linux.

This capability is crucial for troubleshooting issues where a connection may be stuck or unresponsive, enabling you to maintain optimal network performance.

For more information on terminating processes in Linux, check out our guide on Kill Process in Linux to explore different methods for managing processes by their PID.

18. Hiding Connections

The -h or --hide option in the ss command allows you to hide certain types of connections, making it easier to focus on specific sockets or states.

This feature is useful for socket monitoring in Linux, as it helps streamline the output by excluding unnecessary information.

  • Syntax:
ss -h

OR

ss --hide
  • Example:

Run the command below to hide specific socket connections:

ss -t -h

In this example, the -t flag filters the output to show only TCP sockets, while the -h option hides connections that are not of interest, such as those that are in a specific state.

Output

State      Recv-Q Send-Q     Local Address:Port         Peer Address:Port
ESTAB      0      0          opera.example.com:53000     server.example.net:80

In this output, the non-relevant connections are excluded, allowing you to focus on the active TCP connections that matter most.

By using the ss command in Linux with the -h option, you can effectively monitor network connections while maintaining a clean and concise output, which is crucial for efficient network management and troubleshooting.

19. Displaying Numerical Addresses

The -n option in the Linux ss command instructs the command to display numerical addresses and port numbers instead of resolving them to their corresponding hostnames.

This can speed up the output, making it useful for socket monitoring in Linux, especially when you’re primarily interested in the IP addresses.

  • Syntax:
ss -n
  • Example:

Run the command below to view TCP sockets with numerical addresses:

ss -t -n

In this example, the -t flag filters the output to show only TCP sockets, while the -n option prevents hostname resolution.

Output

State      Recv-Q Send-Q     Local Address:Port         Peer Address:Port
ESTAB      0      0          192.168.1.5:53000          93.184.216.34:80
LISTEN     0      128        0.0.0.0:22                 0.0.0.0:*

In this output, the Local Address and Peer Address columns display IP addresses and port numbers without hostname resolution, providing a clear view of the active connections.

By using the ss command in Linux with the -n option, you can efficiently monitor network connections while reducing the time spent on DNS lookups, which is especially beneficial for environments with many connections or high network activity.

How to Check Man Pages and List All Commands for ss Command in Linux

To access detailed information about the Linux ss command and its various options, you can utilize the man pages in Linux.

This resource provides comprehensive documentation on command usage, including syntax, options, and examples, making it an invaluable tool for both beginners and experienced users.

  • To view the man page for ss, simply open your terminal and type:
man ss

This command displays the full manual for the ss command, including explanations of all available options and examples of how to use them effectively.

  • If you’re interested in exploring all the available commands that can be used with Linux  ss command, you can list them using the following command:
ss --help

This command provides a quick summary of the command’s usage, including the primary options and their descriptions, allowing you to get a fast overview of what ss can do without diving into the full man page.

Output

Usage: ss [ OPTIONS ]
   -h, --help                  show this help message
   -V, --version               show version
   -t, --tcp                   display TCP sockets
   -u, --udp                   display UDP sockets
   -l, --listening              display listening sockets
   -s, --summary               display socket statistics
   ...

By checking the man pages and using the --help option, you can gain a deeper understanding of the ss command and its capabilities.

Linux ss Command Options

Let’s have a glance at a comprehensive table for Linux ss command options:

OptionDescription
-a , --allDisplays all socket connections, including both listening and non-listening sockets.
-l, --listeningShows only listening sockets, ideal for identifying open ports waiting for connections.
-t , --tcpFilters the output to display only TCP connections.
-u , --udpFilters the output to display only UDP connections.
-x , --unixDisplays UNIX domain sockets.
-w , --rawDisplays raw sockets.
--dstFilters the output to show sockets connected to the specified destination address.
-p , --processShows the process ID (PID) and program name associated with each socket.
-s , --summaryProvides a summary of socket usage, displaying counts of each socket type.
-4 , --ipv4Filters the output to display only IPv4 sockets.
-6 , --ipv6Filters the output to display only IPv6 sockets.
--stateFilters output by specified connection states (e.g., ESTAB, LISTEN).
-r , --routeDisplays routing information for sockets, useful for analyzing network routes.
-e , --extendedProvides extended output, including additional information such as socket queue sizes.
-m , --memoryDisplays memory usage information for sockets.
-o , --optionsShows socket options and settings.
-f , --familyFilters output by the specified address family (e.g., inet, inet6).
-k , --killAllows you to kill a socket connection associated with a process.
-h , --helpDisplays help information about the ss command and its options.
--hideHides specified sockets from the output.
-n , --numericDisplays numerical addresses instead of resolving hostnames, speeding up the output.

Comparison of netstat and ss Commands in Linux

The following table provides a comparison between the netstat and ss commands, highlighting their key features, performance, and usage in network monitoring:

FeaturenetstatssDescription
SpeedSlowerFasterss is generally quicker in retrieving socket information.
Detail of InformationBasicMore detailedss provides more granular details about socket connections.
Protocol SupportIPv4, IPv6IPv4, IPv6, UNIXss supports UNIX sockets in addition to IPv4 and IPv6.
Filtering CapabilitiesLimitedExtensivess offers advanced filtering options for more precise results.
Recommended UsageLegacyPreferredss is recommended for modern socket monitoring tasks.
Example Commandnetstat -tulnss -tulnCommands to display listening sockets and their details.

Why use ss instead of netstat?

While netstat is a classic tool, the Linux ss command is faster and more efficient, as it pulls data directly from the kernel, reducing overhead.

The ss command also supports more advanced filtering options, which provide better control over the output.

How to filter connections by protocol with ss?

You can use specific options to filter connections by protocol.

For example, use ss -t for TCP connections, ss -u for UDP, and ss -x for UNIX sockets.

This filtering makes it easier to focus on specific protocols for targeted troubleshooting.

What does the output of the ss command mean?

The output of the Linux ss command provides several columns, including Netid, State, Recv-Q, Send-Q, Local Address:Port, and Peer Address:Port.

Understanding these fields helps you analyze the status of each connection, such as whether it is established (ESTAB) or listening (LISTEN).

Why does ss show some addresses as *:*?

The *:* symbol in the ss command output indicates that a socket is listening on all available IP addresses for the specified port.

This is common for services that are open to all network interfaces.

Why does the Linux ss command not show any output?

If the Linux ss command returns no output, it could be due to several reasons: there may be no active connections at the moment, or you may not have the necessary permissions to view certain socket information.

Ensure you are using the command with appropriate privileges, possibly with sudo.

How to save the ss command output to a file?

You can save the output by redirecting it to a file. For example, use ss -a > ss_output.txt to save all connections to a file named ss_output.txt, making it easy to review or share the data.

Conclusion

The Linux ss command stands as an essential utility for any Linux user or network administrator, offering powerful capabilities to monitor, analyze, and manage socket connections efficiently.

From checking active TCP and UDP connections to filtering by protocol and inspecting specific states, the ss command allows users to keep a close eye on network activities and troubleshoot issues as they arise.

This article has walked you through 19 practical examples of using the Linux ss command, illustrating how to utilize its diverse options to customize and optimize network visibility.

With these examples, you’re now equipped to use ss effectively, ensuring secure and well-managed network environments on your Linux systems.

Leave a Reply

Your email address will not be published. Required fields are marked.