How to use the ss command in Linux

A terminal window on a Linux portable system.

The ss The command is a modern replacement for the classic. netstat. You can use it on Linux to get statistics on your network connections. Here’s how to work with this handy tool.

The ss command versus netstat

A replacement for the obsolete netstat command, ss gives you detailed information about how your computer communicates with other computers, networks, and services.

ss shows statistics of Transmission Control Protocol (TCP), User datagram protocol (UDP), Unix (interprocess)and raw plugs. Raw baseboards operate in the network OSI level, which means that the TCP and UDP headers must be handled by the application software, not the transport layer. Internet Control Message Protocol (ICMP) and whistle the utility both use raw sockets.

Using ss

You don’t have to install ssas it is already part of an updated Linux distribution. However, your outing can be very long; we have obtained results that contain more than 630 lines. The results are also very broad.

Because of this, we have included text representations of the results we got, as they would not fit in a screenshot. We have trimmed them to make them more manageable.

List of network connections

Using ss no command line options lists the sockets that are not listening. That is, it lists the sockets that are not in a listening state.

To see this, type the following:

ss

Netid State Recv-Q Send-Q          Local Address:Port Peer Address:Port   Process
u_str ESTAB 0      0                           * 41826           * 41827
u_str ESTAB 0      0 /run/systemd/journal/stdout 35689           * 35688
u_str ESTAB 0      0                           * 35550           * 35551
...
u_str ESTAB 0      0                           * 38127           * 38128
u_str ESTAB 0      0 /run/dbus/system_bus_socket 21243           * 21242
u_str ESTAB 0      0                           * 19039           * 19040
u_str ESTAB 0      0 /run/systemd/journal/stdout 18887           * 18885 
u_str ESTAB 0      0 /run/dbus/system_bus_socket 19273           * 17306
icmp6 UNCONN 0     0                           *:ipv6-icmp       *:*
udp   ESTAB 0      0         192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps

The columns are as follows:

  • Netid: The type of plug. In our example, we have “u_str”, a Unix stream, an “udp” and “icmp6”, an ICMP version 6 IP socket. You can find more descriptions of Linux socket types in the Linux man pages.
  • Express: The state the socket is in.
  • Recv-Q: The number of packages received.
  • Send-Q: The number of packages sent.
  • Local address: Puerto: The local address and port (or equivalent values ​​for Unix sockets).
  • Same level address: Port: The remote address and port (or equivalent values ​​for Unix sockets).

For UDP sockets, the “Status” column is usually blank. For TCP sockets, it can be one of the following:

  • LISTENS: Only on the server side. The socket is waiting for a connection request.
  • NO-SEND: Only on the client side. This socket has made a connection request and is waiting to see if it is accepted.
  • SYN-RECEIVED: Only on the server side. This socket is waiting for a connection confirmation after accepting a connection request.
  • SETTLED DOWN: Server and clients. A working connection has been established between the server and the client, allowing data to be transferred between the two.
  • FIN-WAIT-1: Server and clients. This connector is waiting for a connection termination request from the remote connector, or an acknowledgment of a connection termination request that was previously sent from this connector.
  • FIN-WAIT-2: Server and clients. This connector is waiting for a connection termination request from the remote connector.
  • CLOSE-WAIT: Server and client. This connector is waiting for a connection termination request from the local user.
  • CLOSURE: Server and clients. This connector is waiting for a connection termination request acknowledgment from the remote connector.
  • LAST RECOGNITION: Server and client. This connector is waiting for an acknowledgment of the connection termination request that you sent to the remote connector.
  • WAIT TIME: Server and clients. This connector sent an acknowledgment to the remote connector to let it know that it received the termination request from the remote connector. You are now waiting to make sure the acknowledgment was received.
  • CLOSED: There is no connection, so the plug is over.

Listening plug list

To see the listening shots, we will add the -l (listening) option, like this:

ss -l

Netid State  Recv-Q Send-Q               Local Address:Port                  Peer Address:Port Process 
nl    UNCONN 0      0                             rtnl:NetworkManager/535                * 
nl    UNCONN 0      0                             rtnl:evolution-addre/2987              * 
...
u_str LISTEN 0      4096          /run/systemd/private 13349                            * 0 
u_seq LISTEN 0      4096             /run/udev/control 13376                            * 0 
u_str LISTEN 0      4096             /tmp/.X11-unix/X0 33071                            * 0 
u_dgr UNCONN 0      0      /run/systemd/journal/syslog 13360                            * 0 
u_str LISTEN 0      4096    /run/systemd/fsck.progress 13362                            * 0 
u_dgr UNCONN 0      0    /run/user/1000/systemd/notify 32303                            * 0

These plugs are all unplugged and listening. The “rtnl” stands for netlink routing, which is used to transfer information between the kernel and user-space processes.

List of all plugs

To list all the plugs, you can use the -a (all) option:

ss -a

Netid State  Recv-Q Send-Q    Local Address:Port                 Peer Address:Port    Process 
nl    UNCONN 0      0                  rtnl:NetworkManager/535               * 
nl    UNCONN 0      0                  rtnl:evolution-addre/2987 * 
...
u_str LISTEN 0      100       public/showq 23222                            * 0 
u_str LISTEN 0      100      private/error 23225                            * 0 
u_str LISTEN 0      100      private/retry 23228                            * 0 
...
udp   UNCONN 0      0             0.0.0.0:631                         0.0.0.0:* 
udp   UNCONN 0      0             0.0.0.0:mdns                        0.0.0.0:* 
...
tcp   LISTEN 0      128              [::]:ssh                            [::]:* 
tcp   LISTEN 0      5               [::1]:ipp                            [::]:* 
tcp   LISTEN 0      100             [::1]:smtp                           [::]:*

The output contains all sockets, regardless of state.

TCP socket listing

You can also apply a filter so that only matching sockets are displayed. We will use the -t (TCP), so only TCP sockets will be listed:

ss -a -t

UDP socket listing

The -u (UDP) performs the same type of filtering action. This time, we will only see UDP sockets:

ss -a -u

State  Recv-Q Send-Q    Local Address:Port Peer   Address:Port Process 
UNCONN 0      0               0.0.0.0:631         0.0.0.0:* 
UNCONN 0      0               0.0.0.0:mdns        0.0.0.0:* 
UNCONN 0      0               0.0.0.0:60734       0.0.0.0:* 
UNCONN 0      0         127.0.0.53%lo:domain      0.0.0.0:* 
ESTAB 0       0    192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps 
UNCONN 0      0                   [::]:mdns          [::]:* 
UNCONN 0      0                   [::]:51193         [::]:*

Unix socket listing

To view only Unix sockets, you can include the -x (Unix), as shown below:

ss -a -x

Netid State Recv-Q Send-Q               Local Address:Port  Peer Address:Port    Process 
u_str ESTAB 0      0                                * 41826            * 41827 
u_str ESTAB 0      0                                * 23183            * 23184 
u_str ESTAB 28     0               @/tmp/.X11-unix/X0 52640            * 52639 
...
u_str ESTAB 0      0      /run/systemd/journal/stdout 18887            * 18885 
u_str ESTAB 0      0      /run/dbus/system_bus_socket 19273            * 17306

Raw plug listing

The raw plug filter is the -w option (raw):

ss -a -w

IP version 4 plug list

Sockets that use the TCP / IP version 4 protocol can be listed using the -4 (IPV4) option:

ss -a -4

IP version 6 plug list

You can activate the corresponding IP filter version 6 with the -6 (IPV6), like this:

ss -a -6

List of sockets by state

You can list the sockets by the state they are in with the state option. This works with established, listening, or closed states. We will also use the resolution option (-r), which tries to resolve network addresses into names and ports into protocols.

The following command will search for established TCP connections and ss will try to resolve the names:

ss -t -r state established

Four connections are listed that are in the established state. The hostname, ubuntu20-04, has been resolved and it shows “ssh” instead of 22 for the SSH connection on the second line.

We can repeat this to search for sockets in the listening state:

ss -t -r state listening

Recv-Q Send-Q Local Address:Port   Peer Address:Port Process 
0      128        localhost:5939        0.0.0.0:* 
0      4096    localhost%lo:domain      0.0.0.0:* 
0      128          0.0.0.0:ssh         0.0.0.0:* 
0      5          localhost:ipp         0.0.0.0:* 
0      100        localhost:smtp        0.0.0.0:* 
0      128             [::]:ssh         [::]:* 
0      5      ip6-localhost:ipp         [::]:* 
0      100    ip6-localhost:smtp        [::]:*

List of sockets by protocol

You can enumerate the sockets using a particular protocol with the dport Y sport options, which represent the source and destination ports, respectively.

We write the following to list the sockets that use the HTTPS protocol in a established connection (note the space after the opening parenthesis and before the closing):

ss -a state established ‘( dport = :https or sport = :https )’

We can use the name of the protocol or the port normally associated with that protocol. The default port for Safe cover (SSH) is port 22.

We will use the protocol name in a command and then repeat it using the port number:

ss -a ‘( dport = :ssh or sport = :ssh )’
ss -a ‘( dport = :22 or sport = :22 )’

As expected, we get the same results.

List of connections to a specific IP address

With the dst (destination), we can list the connections to a particular destination IP address.

We write the following:

ss -a dst 192.168.4.25

Process identification

To see which processes are using the sockets, you can use the processes option (-p), as shown below (note that you must use sudo):

sudo ss -t -p

State Recv-Q Send-Q  Local Address:Port   Peer Address:Port  Process 
ESTAB 0      0       192.168.4.28:57650  54.218.19.119:https users:(("firefox",pid=3378,fd=151)) 
ESTAB 0      0       192.168.4.28:ssh     192.168.4.25:43946 users:(("sshd",pid=4086,fd=4),("sshd",pid=3985,fd=4))

This shows us that the two connections established in the TCP sockets are being used by the SSH daemon and Firefox.

A worthy successor

The ss The command provides the same information previously provided by netstat, but in a simpler and more accessible way. You can see the man page for more options and tips.

Leave a Reply