How to Use ss Command to Troubleshoot Network Issues on Linux

Last updated: December 6, 2022

Linux offers multiple tools for analyzing network statistics; ss is one of those command-line utilities. In this tutorial, we'll go through the fundamentals of the ss command with some easy examples.

ss Command

The Socket Statistics (ss) command in Linux displays network socket information. When used to dump socket statistics, the ss command presents data like that of netstat, but more quickly and simply.

With ss, you can view detailed information about the sockets that are being used by your system, including their state, source and destination addresses, and other related information. It can display much more TCP and status information than most other tools.

Following is the output of the ss command, which shows data in different columns. The ss command without any options list all open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection.

We will look at all the columns one by one:

ss command columns
  • Netid - It is simply a Socket type. TCP, UDP, SOCK_SEQPACKET, and ICMP are common types of sockets.
  • State - The socket's state. Common states of sockets can be SYN-RECV, SYN-SENT, TIME-WAIT, or ESTB (established).
  • recv-Q - Tells the number of packets that the queue receives.
  • send-Q - Tells the number of packets sent from the queue.
  • Local address: port - It shows the address of the local machine and the port.
  • Peer address: port - It shows addresses and associated port numbers of the remote machines.

Syntax

ss [Options] [Filters]

You can use several options and filters with the ss command to get the data according to your requirements. You can get a list of all the available options using the following command:

ss -h

ss vs netstat command

The ss tool is included under iproute2 package and is the default in most Linux Distributions. To have netstat you need to install net-tools, which are already deprecated.

Compared to the netstat command, ss is quicker and simpler to use and provides information in a presentable format. ss fetches directly from the kernel.

The ss is not a complete replacement of netstat, some of the netstat command is replaced by ip command.

Installation

The ss command line utility comes pre-installed with most Linux distributions. The ss tool comes with the iproute2 package. However, your distribution doesn't have it installed if you get the "ss command not found" error message while running this command.

You can install it using one of the following commands:

Ubuntu

sudo apt install iproute2   

RedHat

sudo yum install iproute2 

Fedora

sudo dnf install iproute

How to Use ss Command

As with all Linux commands, the ss command operates by sending out the command executable and then using any assortment of the available options to follow it.

The ss command has fewer available options than the netstat command. However, this doesn't mean that it is less in functionalities. The ss command is somewhat more robust.

Note: Executing the ss command without any options or filters returns an exhaustive list of TCP sockets with established connections.

1. List network connections

You can list all listening and non-listening network connections using the -a or -all option.

ss -a
List all listening and non-listening connections

2. List listening sockets

To display only listening sockets, which are omitted by default, use -l or --listen option.

ss -l
List of all listening sockets

3. List TCP connections

To display the TCP socket connection, use the -t or --tcp option.

 ss -t

To display the list of all the TCP connections, you can use the -a and -t options. This includes all states of the socket.

ss -at
List of all TCP connections

To display the TCP connection for all the listening states, combine -l and -t options.

ss -alt

4. List all listening TCP connections

To display the TCP connection for all the listening states, combine -l and -t options.

ss -alt
List of all listening TCP connections

5. List UDP connections

To display the UDP socket connection, use -u or --udp option.

ss -u

To display the list of all the UDP connections, use -a and -u options. This includes all states of the socket.

ss -au
List of all UDP connections

6. List all listening UDP connections

You can combine -l and -u to display the UDP connection for all the listening states.

ss -lu
List of all listening UDP connections

7. List Unix sockets

To display all the Unix sockets, you can use the ss command along with -f unix or -x.

ss -f unix
List of all UNIX Sockets

8. List raw sockets

To display all the Raw sockets, you can use -w or --raw option.

ss -w
List of raw sockets

9. List the connection of an IP address

We can use ss command to display the list connection of a specific destination or source IP address.

For example to list connection of destination IP address:

ss dst 157.240.227.60
List the connection of an IP address.

For example to list connection of source IP address:

ss src 192.168.18.151

10. List IPv4 and IPv6 socket connections

If you want to display the list of IPv4 socket connections use -4 option and -6 to display the list of IPv6 socket connections.

To display IPv4 socket connection list:

ss -4
list IPv4 socket

To display the IPv6 socket connection list:

ss -6
List IPv6 socket

To list all the IPv4 TCP connections, you can use the following example.

ss -at4

11. Identify processes

You can find the processes of sockets using the -p option along with the ss command. To identify the process, you will need sudo permission.

sudo ss -t -p 
list processes

12. List connections with no hostname resolution

To resolve the numeric address/ports use -r (resolve) option. Whereas the -n option does not try to resolve service names.

Here in the example, you can see the difference between the two:

$ ss -tn
 State  Recv-Q Send-Q  Local Address:Port Peer Address:Port   Process
 ESTAB  0      0       74.208.235.196:22  48.192.234.17:60216
$ ss -tr
 State  Recv-Q Send-Q Local Address:Port         Peer Address:Port  Process
 ESTAB  0      64     li82-186.members.linode.com:ssh                          n47-172-231-17.sun4.vic.optusnet.com.au:60317
$

13. Filter by connection

The ss command allows advanced filtering of results and searching for specific ports or TCP states.

Filter using TCP states

To filter TCP connection with state listening, type:

ss -t state listening
TCP state listening

You can also use the grep command to filter conventionally. I'm showing all the TCP connections in the state of listening here:

ss -at | grep LISTEN
ss filter using grep command

To display established ssh port connections:

ss -tr state established '( dport = :22 or sport = :22 )'

Filter by port number

Filter for a specific destination port number or port name:

ss <options> dst :<port number or name>

For example, use a port name:

ss dst :https
Filter connections by port name

ss Command Options

As stated earlier in the document, the ss command can take in some optional parameters to get specific information about the network. Following is the list of all the options and their corresponding description:

OptionsDescription
-hDisplays a list of all options.
-VDisplays the version information.
-nService names are not resolved.
-rHost names are resolved
-aDisplays all sockets
-lDisplays all listening sockets
-oDisplays timer information
-eshow detailed socket information
-mshow socket memory usage
-pshow process using socket
-ishow internal TCP information
–-tipcnfoshow internal tipc socket information
-sshow socket usage summary
-bshow bpf filter socket information
-Econtinually display sockets as they are destroyed
-Zdisplay process SELinux security contexts
-zdisplay process and socket SELinux security contexts
-Nswitch to the specified network namespace name
-4display only IP version 4 sockets
-6display only IP version 6 sockets
-0display PACKET sockets
-tdisplay only TCP sockets
-Mdisplay only MPTCP sockets
-Sdisplay only SCTP sockets
-udisplay only UDP sockets
-ddisplay only DCCP sockets
-wdisplay only RAW sockets
-xdisplay only Unix domain sockets
-fFAMILY display sockets of type FAMILYFAMILY := {inet|inet6|link|unix|netlink|vsock|tipc|xdp|help}
-Kforcibly close sockets, display what was closed
-HSuppress header line
-Osocket's data printed on a single line
-DDump raw information about TCP sockets to FILE
-Fread filter information from FILE

ss command State Filters

It provides a method for the construction of any set of matching states. Its syntax consists of the keywords state and excludes in that order, followed by the state's identifier.

Available identifiers established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listening, and closing are all common TCP statuses. The following table briefs all these states:

State FilterDescription
allfor all the states
connectedall the states except for listening and closed
synchronizedall the connected states except for syn-sent
bucketstates, which are maintained as minisockets, i.e. time-wait and syn-recv
big opposite to bucket

Conclusion

The ss command utility is an easier and faster successor to the primitive netstat command. It provides advanced filtering options for socket and network statistics. Therefore, it is a must-know tool for network troubleshooting use cases.

You can follow the man page of the ss command for more details.

About The Author

Bobbin Zachariah

Bobbin Zachariah

Bobbin started his career in IT in the year 2000 as a computer science instructor and worked as a Linux system engineer and senior analyst roles. Currently working in DevOps environments to increase efficiency and improve delivery time in AWS Cloud infrastructure. He is certified in RHEL, CCNA, and MCP and holds a Masters's in computer science. When in his free time love playing cricket, blogging, and listening to music.

SHARE

Comments

Please add comments below to provide the author your ideas, appreciation and feedback.

Leave a Reply

Leave a Comment