What is the ss command used for?

The ss command is used to investigate sockets and display socket statistics in Linux, providing information about network connections, listening ports, and socket states.

How is ss different from netstat?

ss is the modern replacement for netstat, offering faster performance, more detailed information, and better filtering capabilities for investigating network sockets.

How do I show all listening ports?

Use 'ss -l' to show all listening sockets, or 'ss -ln' for numeric format without hostname resolution.

ss

Investigate sockets and display socket statistics

Syntax

ss [options] [filter]

Basic Usage

Show all sockets

ss

Displays all established connections.

Show listening sockets

ss -l

Shows all listening ports.

Show numeric addresses

ss -n

Shows addresses in numeric format.

Show process information

ss -p

Common Options

-a, --all: Show all sockets (default: connected)
-l, --listening: Show listening sockets
-n, --numeric: Show numeric addresses
-p, --processes: Show process using socket
-r, --resolve: Resolve hostnames
-s, --summary: Show socket statistics
-t, --tcp: Show TCP sockets
-u, --udp: Show UDP sockets
-w, --raw: Show raw sockets
-x, --unix: Show Unix domain sockets
-4, --ipv4: Show only IPv4 sockets
-6, --ipv6: Show only IPv6 sockets
-f, --family: Specify address family
-o, --options: Show timer information
-e, --extended: Show detailed socket information
-i, --info: Show internal TCP information
-m, --memory: Show socket memory usage
-H, --no-header: Suppress header line
-v, --verbose: Verbose mode

Socket States

TCP Socket States

LISTEN: Socket is listening for connections
ESTABLISHED: Connection is established
SYN_SENT: Connection request sent
SYN_RECV: Connection request received
FIN_WAIT1: Connection closing
FIN_WAIT2: Connection closed, waiting for remote close
TIME_WAIT: Connection closed, waiting for cleanup
CLOSE_WAIT: Remote side has closed
CLOSED: Socket is closed

Practical Examples

Show all listening TCP ports

ss -tln

Show all listening UDP ports

ss -uln

Show established connections with process info

ss -tnp

Show connections to specific port

ss -tn dst :80

Show connections from specific IP

ss -tn src 192.168.1.100

Show Unix domain sockets

ss -x

Show socket statistics

ss -s

Show memory usage for sockets

ss -m

Show timer information

ss -o

Show internal TCP information

ss -i

Filter by state

ss state established

Show IPv6 sockets only

ss -6

Filtering Options

Common Filters

state state_name: Filter by socket state
src address: Filter by source address
dst address: Filter by destination address
sport port: Filter by source port
dport port: Filter by destination port
dev interface: Filter by network interface

Understanding Output

Output Columns

Netid: Socket type (tcp, udp, unix)
State: Socket state
Recv-Q: Receive queue size
Send-Q: Send queue size
Local Address:Port: Local socket address
Peer Address:Port: Remote socket address
Process: Process using the socket

Best Practices

When to Use

Network troubleshooting
Port monitoring
Process network usage analysis
Security auditing
Performance monitoring
Service availability checking

Important Notes

ss is the modern replacement for netstat
Use -n for faster output (no DNS resolution)
Combine options for more specific information
Use filters to narrow down results
Consider using -p to identify processes
Use -s for quick network statistics overview
ss provides more detailed information than netstat

ss