How to use ss command on Linux

Ss and netstat commands

As an alternative to the outdated netstat command, the ss command gives you information about communication between your computer and other computers, networks and other services.

The ss command will display metrics for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Unix (interprocess) and raw sockets. The raw socket operates at the OSI level network, which means that TCP and UDP protocols must be handled by software, not by the transport layer. Internet Control Message Protocol (ICMP) messages and the ping utility use the raw socket.

Use the ss command

You do not have to install the ss command, it is available on the latest versions of Linux distributions. However, the result of this command may be both long and wide.

How to use ss command on Linux Picture 1

A result after using the ss command

List the network connections

Type the following command:

ss

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str ESTAB 0 0 * 41826 * 41827 u_str ESTAB 0 0 /run/systemd/journal/stdout 35689 * 35688 u_str ESTAB 0 0 * 35550 * 35551 . u_str ESTAB 0 0 * 38127 * 38128 u_str ESTAB 0 0 /run/dbus/system_bus_socket 21243 * 21242 u_str ESTAB 0 0 * 19039 * 19040 u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885 u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306 icmp6 UNCONN 0 0 *:ipv6-icmp *:* udp ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps

The columns will appear as follows:

Netid: Types of sockets.
State: Status of the socket.
Recv-Q: Number of packets received.
Send-Q: Number of packets sent.
Local Address: Port: Local address and port (or equivalent values for Unix socket).
Peer Address: Port: Remote address and port (or equivalent value for Unix socket).

For UDP sockets, the State column is usually left blank. With a TCP socket it could be one of the following:

LISTEN: Only for server side. Socket is waiting for connection request.
SYN-SENT: Only for client side. This socket makes a connection request and waits to see when it is accepted.
SYN-RECEIVED: Only for server side. This socket waits for connection recognition after the connection request is accepted.
ESTABLISHED: For server and client. An active connection is established between the server and the client, allowing data to be transferred between the two parties.
FIN-WAIT-1: For server and client. This socket is waiting for a connection request from the remote socket, or recognizes a connection request from the previous one.
FIN-WAIT-2: For server and client. This socket is waiting for connection request from the remote socket.
CLOSE-WAIT: For Server and client. This socket is waiting for connection requests from local users.
CLOSING: This socket is waiting for a connection request to identify it from the remote socket.
LAST-ACK: For server and client. This socket is waiting for an identifier requesting the connection it sends to the remote socket.
TIME-WAIT: For server and client. This socket sends an identifier to the remote socket to indicate it has received a request from the remote socket. Now it is waiting to make sure this identity has been accepted.
CLOSED: There was no connection so the socket was canceled.

List of active sockets

To see active sockets, add -l (listening) to the command:

ss -l

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process nl UNCONN 0 0 rtnl:NetworkManager/535 * nl UNCONN 0 0 rtnl:evolution-addre/2987 * . u_str LISTEN 0 4096 /run/systemd/private 13349 * 0 u_seq LISTEN 0 4096 /run/udev/control 13376 * 0 u_str LISTEN 0 4096 /tmp/.X11-unix/X0 33071 * 0 u_dgr UNCONN 0 0 /run/systemd/journal/syslog 13360 * 0 u_str LISTEN 0 4096 /run/systemd/fsck.progress 13362 * 0 u_dgr UNCONN 0 0 /run/user/1000/systemd/notify 32303 * 0

All of these sockets are disconnected and working. 'rtnl' means routing netlink, used to transfer information between kernel and userspace processes.

List all sockets

To list all sockets, you can use the -a (all) option:

ss -a

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process nl UNCONN 0 0 rtnl:NetworkManager/535 * nl UNCONN 0 0 rtnl:evolution-addre/2987 * . u_str LISTEN 0 100 public/showq 23222 * 0 u_str LISTEN 0 100 private/error 23225 * 0 u_str LISTEN 0 100 private/retry 23228 * 0 . udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* . tcp LISTEN 0 128 [::]:ssh [::]:* tcp LISTEN 0 5 [::1]:ipp [::]:* tcp LISTEN 0 100 [::1]:smtp [::]:*

The result will include all sockets regardless of status.

List the TCP sockets

You can use a filter, which only takes sockets to be displayed. Here, we use the -t (TCP) option, only TCP sockets will be listed:

ss -a -t

List the UDP sockets

The -u option (UDP) is the same filter. Use if you only want to see the UDP socket:

ss -a -u

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process UNCONN 0 0 0.0.0.0:631 0.0.0.0:* UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* UNCONN 0 0 0.0.0.0:60734 0.0.0.0:* UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:* ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps UNCONN 0 0 [::]:mdns [::]:* UNCONN 0 0 [::]:51193 [::]:*

List the Unix sockets

To see Unix sockets, you can add -x (Unix) to the command line as follows:

ss -a -x

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str ESTAB 0 0 * 41826 * 41827 u_str ESTAB 0 0 * 23183 * 23184 u_str ESTAB 28 0 @/tmp/.X11-unix/X0 52640 * 52639 . u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885 u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306

List the raw sockets

To filter raw sockets, add -w (raw):

ss -a -w

Lists IP socket version 4

Sockets using TCP / IP version 4 can be listed using option -4 (IPV4):

ss -a -4

Lists IP socket version 6

You can use -6 (IPV6) to find the IP socket version 6:

ss -a -6

List sockets by status

You can list sockets by status. It will be divided into categories as established, active, or closed.

Use the following command if you want to find established TCP connections, the ss command will list by name:

ss -t -r state established

The four listed connections are all in established state. The hostname, ubuntu20-04, has been resolved and 'ssh' has been shown instead of 22 for the second SSH connection.

List sockets by protocol

You can list sockets using a special protocol like dport and sport, corresponding to the destination port and the source port.

Enter the following to list the sockets under the HTTPS protocol on an established connection (note opening spaces after parentheses and before closing):

ss -a state established '( dport = :https or sport = :https )'

You can use the protocol name or the port usually connected to the protocol. The default port for SSH is port 22.

List connections to special IP addresses

With dst again, you can list connections to a certain IP address.

Use the following command:

ss -a dst 192.168.4.25

Define the process

To view the processes that are using the socket, you can use the process option (-p), as shown below (note that sudo must be used):

sudo ss -t -p

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ESTAB 0 0 192.168.4.28:57650 54.218.19.119:https users:(("firefox",pid=3378,fd=151)) ESTAB 0 0 192.168.4.28:ssh 192.168.4.25:43946 users:(("sshd",pid=4086,fd=4),("sshd",pid=3985,fd=4))

linux

Kareem Winters

Update 30 July 2020

You should read it

May be interested

How to limit access to su command in Linux
if you have added linux to your data center or are just using a single linux machine for your business, you need to make sure it is as secure as possible.
12 things Linux is easier to do in the command line than graphical software
graphical user interfaces (guis) were invented to make life easier for computer users, so it's very common to use them to perform most everyday tasks.
11 df commands in Linux (with example)
with the df command in linux, you can easily check your system for details about disk space and file size. these 12 examples of df commands will show you how to do them in detail.
How to use the Linux command line on Android with Termux
android is a very operating system 'capacity with more and more desktop accessibility applications. however, sometimes you want to make some things on android that can be as easy as desktop. fortunately, you can use the termux tool, which builds on the existing infrastructure and provides a command line environment that allows you to install real linux applications on your android device.
Instructions for using find command in Linux
the find command is one of the most important and handy commands on a linux system. as its name suggests, the command can find files on a linux pc based on a variety of conditions and variables you set.
How to use the history command in Linux
as you spend more and more time in terminal sessions, you will constantly find new commands that make everyday tasks more efficient. the gnu history command is one of them.
Instructions for using pstree command on Linux
pstree is a powerful and useful command to display processes running in linux. like the ps command, it shows all the processes that are currently active on your login system. the main difference is that when running the pstree command, processes are organized into tree sorting instead of lists like using the ps command.
The dd command in Linux, How to use the dd command
dd is a command line utility for unix-like and unix operating systems, with the main purpose of converting and copying files.
Use the Top command to see the processes running in Linux
the top command in linux is used to display all processes running in the linux environment. this tutorial shows you how to use the top command through explaining the various parameters available and the content they display.
How to use the dmesg command in Linux
the dmesg command has been used to troubleshoot server and linux desktops for decades. it's time to start using this handy command!