How to use ss command on Linux
Ss and netstat commands
As an alternative to the outdated netstat command, the ss command gives you information about communication between your computer and other computers, networks and other services.
The ss command will display metrics for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Unix (interprocess) and raw sockets. The raw socket operates at the OSI level network, which means that TCP and UDP protocols must be handled by software, not by the transport layer. Internet Control Message Protocol (ICMP) messages and the ping utility use the raw socket.
Use the ss command
You do not have to install the ss command, it is available on the latest versions of Linux distributions. However, the result of this command may be both long and wide.
A result after using the ss commandList the network connections
Type the following command:
ss
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str ESTAB 0 0 * 41826 * 41827 u_str ESTAB 0 0 /run/systemd/journal/stdout 35689 * 35688 u_str ESTAB 0 0 * 35550 * 35551 . u_str ESTAB 0 0 * 38127 * 38128 u_str ESTAB 0 0 /run/dbus/system_bus_socket 21243 * 21242 u_str ESTAB 0 0 * 19039 * 19040 u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885 u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306 icmp6 UNCONN 0 0 *:ipv6-icmp *:* udp ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps
The columns will appear as follows:
- Netid: Types of sockets.
- State: Status of the socket.
- Recv-Q: Number of packets received.
- Send-Q: Number of packets sent.
- Local Address: Port: Local address and port (or equivalent values for Unix socket).
- Peer Address: Port: Remote address and port (or equivalent value for Unix socket).
For UDP sockets, the State column is usually left blank. With a TCP socket it could be one of the following:
- LISTEN: Only for server side. Socket is waiting for connection request.
- SYN-SENT: Only for client side. This socket makes a connection request and waits to see when it is accepted.
- SYN-RECEIVED: Only for server side. This socket waits for connection recognition after the connection request is accepted.
- ESTABLISHED: For server and client. An active connection is established between the server and the client, allowing data to be transferred between the two parties.
- FIN-WAIT-1: For server and client. This socket is waiting for a connection request from the remote socket, or recognizes a connection request from the previous one.
- FIN-WAIT-2: For server and client. This socket is waiting for connection request from the remote socket.
- CLOSE-WAIT: For Server and client. This socket is waiting for connection requests from local users.
- CLOSING: This socket is waiting for a connection request to identify it from the remote socket.
- LAST-ACK: For server and client. This socket is waiting for an identifier requesting the connection it sends to the remote socket.
- TIME-WAIT: For server and client. This socket sends an identifier to the remote socket to indicate it has received a request from the remote socket. Now it is waiting to make sure this identity has been accepted.
- CLOSED: There was no connection so the socket was canceled.
List of active sockets
To see active sockets, add -l (listening) to the command:
ss -l
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process nl UNCONN 0 0 rtnl:NetworkManager/535 * nl UNCONN 0 0 rtnl:evolution-addre/2987 * . u_str LISTEN 0 4096 /run/systemd/private 13349 * 0 u_seq LISTEN 0 4096 /run/udev/control 13376 * 0 u_str LISTEN 0 4096 /tmp/.X11-unix/X0 33071 * 0 u_dgr UNCONN 0 0 /run/systemd/journal/syslog 13360 * 0 u_str LISTEN 0 4096 /run/systemd/fsck.progress 13362 * 0 u_dgr UNCONN 0 0 /run/user/1000/systemd/notify 32303 * 0
All of these sockets are disconnected and working. 'rtnl' means routing netlink, used to transfer information between kernel and userspace processes.
List all sockets
To list all sockets, you can use the -a (all) option:
ss -a
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process nl UNCONN 0 0 rtnl:NetworkManager/535 * nl UNCONN 0 0 rtnl:evolution-addre/2987 * . u_str LISTEN 0 100 public/showq 23222 * 0 u_str LISTEN 0 100 private/error 23225 * 0 u_str LISTEN 0 100 private/retry 23228 * 0 . udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* . tcp LISTEN 0 128 [::]:ssh [::]:* tcp LISTEN 0 5 [::1]:ipp [::]:* tcp LISTEN 0 100 [::1]:smtp [::]:*
The result will include all sockets regardless of status.
List the TCP sockets
You can use a filter, which only takes sockets to be displayed. Here, we use the -t (TCP) option, only TCP sockets will be listed:
ss -a -t
List the UDP sockets
The -u option (UDP) is the same filter. Use if you only want to see the UDP socket:
ss -a -u
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process UNCONN 0 0 0.0.0.0:631 0.0.0.0:* UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* UNCONN 0 0 0.0.0.0:60734 0.0.0.0:* UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:* ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps UNCONN 0 0 [::]:mdns [::]:* UNCONN 0 0 [::]:51193 [::]:*
List the Unix sockets
To see Unix sockets, you can add -x (Unix) to the command line as follows:
ss -a -x
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str ESTAB 0 0 * 41826 * 41827 u_str ESTAB 0 0 * 23183 * 23184 u_str ESTAB 28 0 @/tmp/.X11-unix/X0 52640 * 52639 . u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885 u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306
List the raw sockets
To filter raw sockets, add -w (raw):
ss -a -w
Lists IP socket version 4
Sockets using TCP / IP version 4 can be listed using option -4 (IPV4):
ss -a -4
Lists IP socket version 6
You can use -6 (IPV6) to find the IP socket version 6:
ss -a -6
List sockets by status
You can list sockets by status. It will be divided into categories as established, active, or closed.
Use the following command if you want to find established TCP connections, the ss command will list by name:
ss -t -r state established
The four listed connections are all in established state. The hostname, ubuntu20-04, has been resolved and 'ssh' has been shown instead of 22 for the second SSH connection.
List sockets by protocol
You can list sockets using a special protocol like dport and sport, corresponding to the destination port and the source port.
Enter the following to list the sockets under the HTTPS protocol on an established connection (note opening spaces after parentheses and before closing):
ss -a state established '( dport = :https or sport = :https )'
You can use the protocol name or the port usually connected to the protocol. The default port for SSH is port 22.
List connections to special IP addresses
With dst again, you can list connections to a certain IP address.
Use the following command:
ss -a dst 192.168.4.25
Define the process
To view the processes that are using the socket, you can use the process option (-p), as shown below (note that sudo must be used):
sudo ss -t -p
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ESTAB 0 0 192.168.4.28:57650 54.218.19.119:https users:(("firefox",pid=3378,fd=151)) ESTAB 0 0 192.168.4.28:ssh 192.168.4.25:43946 users:(("sshd",pid=4086,fd=4),("sshd",pid=3985,fd=4))
You should read it
- How to use the which command in Linux
- 14 interesting Linux commands in Terminal
- Basic Linux commands everyone needs to know
- How to use the stat command on Linux
- 20+ essential Linux security commands
- How to use the last command in Linux
- The Cat command in Linux
- Instructions for using zforce command on Linux
- 11 uses of ps command in Linux
- How to limit access to su command in Linux
- 12 things Linux is easier to do in the command line than graphical software
- 11 df commands in Linux (with example)