Linux offers multiple tools for analyzing network statistics; ss is one of those command-line utilities. In this tutorial, we'll go through the fundamentals of the ss command with some easy examples.
ss Command
The Socket Statistics (ss) command in Linux displays network socket information. When used to dump socket statistics, the ss command presents data like that of netstat, but more quickly and simply.
With ss, you can view detailed information about the sockets that are being used by your system, including their state, source and destination addresses, and other related information. It can display much more TCP and status information than most other tools.
Following is the output of the ss command, which shows data in different columns. The ss command without any options list all open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection.
We will look at all the columns one by one:
- Netid - It is simply a Socket type. TCP, UDP, SOCK_SEQPACKET, and ICMP are common types of sockets.
- State - The socket's state. Common states of sockets can be SYN-RECV, SYN-SENT, TIME-WAIT, or ESTB (established).
- recv-Q - Tells the number of packets that the queue receives.
- send-Q - Tells the number of packets sent from the queue.
- Local address: port - It shows the address of the local machine and the port.
- Peer address: port - It shows addresses and associated port numbers of the remote machines.
Syntax
ss [Options] [Filters]You can use several options and filters with the ss command to get the data according to your requirements. You can get a list of all the available options using the following command:
ss -hss vs netstat command
The ss tool is included under iproute2 package and is the default in most Linux Distributions. To have netstat you need to install net-tools, which are already deprecated.
Compared to the netstat command, ss is quicker and simpler to use and provides information in a presentable format. ss fetches directly from the kernel.
The ss is not a complete replacement of netstat, some of the netstat command is replaced by ip command.
Installation
The ss command line utility comes pre-installed with most Linux distributions. The ss tool comes with the iproute2 package. However, your distribution doesn't have it installed if you get the "ss command not found" error message while running this command.
You can install it using one of the following commands:
Ubuntu
sudo apt install iproute2RedHat
sudo yum install iproute2Fedora
sudo dnf install iprouteHow to Use ss Command
As with all Linux commands, the ss command operates by sending out the command executable and then using any assortment of the available options to follow it.
The ss command has fewer available options than the netstat command. However, this doesn't mean that it is less in functionalities. The ss command is somewhat more robust.
Note: Executing the ss command without any options or filters returns an exhaustive list of TCP sockets with established connections.
1. List network connections
You can list all listening and non-listening network connections using the -a or -all option.
ss -a
2. List listening sockets
To display only listening sockets, which are omitted by default, use -l or --listen option.
ss -l
3. List TCP connections
To display the TCP socket connection, use the -t or --tcp option.
ss -t
To display the list of all the TCP connections, you can use the -a and -t options. This includes all states of the socket.
ss -at
To display the TCP connection for all the listening states, combine -l and -t options.
ss -alt4. List all listening TCP connections
To display the TCP connection for all the listening states, combine -l and -t options.
ss -alt
5. List UDP connections
To display the UDP socket connection, use -u or --udp option.
ss -uTo display the list of all the UDP connections, use -a and -u options. This includes all states of the socket.
ss -au
6. List all listening UDP connections
You can combine -l and -u to display the UDP connection for all the listening states.
ss -lu
7. List Unix sockets
To display all the Unix sockets, you can use the ss command along with -f unix or -x.
ss -f unix
8. List raw sockets
To display all the Raw sockets, you can use -w or --raw option.
ss -w
9. List the connection of an IP address
We can use ss command to display the list connection of a specific destination or source IP address.
For example to list connection of destination IP address:
ss dst 157.240.227.60
For example to list connection of source IP address:
ss src 192.168.18.15110. List IPv4 and IPv6 socket connections
If you want to display the list of IPv4 socket connections use -4 option and -6 to display the list of IPv6 socket connections.
To display IPv4 socket connection list:
ss -4
To display the IPv6 socket connection list:
ss -6
To list all the IPv4 TCP connections, you can use the following example.
ss -at4
11. Identify processes
You can find the processes of sockets using the -p option along with the ss command. To identify the process, you will need sudo permission.
sudo ss -t -p 
12. List connections with no hostname resolution
To resolve the numeric address/ports use -r (resolve) option. Whereas the -n option does not try to resolve service names.
Here in the example, you can see the difference between the two:
$ ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 74.208.235.196:22 48.192.234.17:60216
$ ss -tr
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 64 li82-186.members.linode.com:ssh n47-172-231-17.sun4.vic.optusnet.com.au:60317
$13. Filter by connection
The ss command allows advanced filtering of results and searching for specific ports or TCP states.
Filter using TCP states
To filter TCP connection with state listening, type:
ss -t state listening
You can also use the grep command to filter conventionally. I'm showing all the TCP connections in the state of listening here:
ss -at | grep LISTEN
To display established ssh port connections:
ss -tr state established '( dport = :22 or sport = :22 )'Filter by port number
Filter for a specific destination port number or port name:
ss <options> dst :<port number or name>For example, use a port name:
ss dst :https
ss Command Options
As stated earlier in the document, the ss command can take in some optional parameters to get specific information about the network. Following is the list of all the options and their corresponding description:
| Options | Description |
|---|---|
| -h | Displays a list of all options. |
| -V | Displays the version information. |
| -n | Service names are not resolved. |
| -r | Host names are resolved |
| -a | Displays all sockets |
| -l | Displays all listening sockets |
| -o | Displays timer information |
| -e | show detailed socket information |
| -m | show socket memory usage |
| -p | show process using socket |
| -i | show internal TCP information |
| –-tipcnfo | show internal tipc socket information |
| -s | show socket usage summary |
| -b | show bpf filter socket information |
| -E | continually display sockets as they are destroyed |
| -Z | display process SELinux security contexts |
| -z | display process and socket SELinux security contexts |
| -N | switch to the specified network namespace name |
| -4 | display only IP version 4 sockets |
| -6 | display only IP version 6 sockets |
| -0 | display PACKET sockets |
| -t | display only TCP sockets |
| -M | display only MPTCP sockets |
| -S | display only SCTP sockets |
| -u | display only UDP sockets |
| -d | display only DCCP sockets |
| -w | display only RAW sockets |
| -x | display only Unix domain sockets |
| -f | FAMILY display sockets of type FAMILYFAMILY := {inet|inet6|link|unix|netlink|vsock|tipc|xdp|help} |
| -K | forcibly close sockets, display what was closed |
| -H | Suppress header line |
| -O | socket's data printed on a single line |
| -D | Dump raw information about TCP sockets to FILE |
| -F | read filter information from FILE |
ss command State Filters
It provides a method for the construction of any set of matching states. Its syntax consists of the keywords state and excludes in that order, followed by the state's identifier.
Available identifiers established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listening, and closing are all common TCP statuses. The following table briefs all these states:
| State Filter | Description |
|---|---|
| all | for all the states |
| connected | all the states except for listening and closed |
| synchronized | all the connected states except for syn-sent |
| bucket | states, which are maintained as minisockets, i.e. time-wait and syn-recv |
| big | opposite to bucket |
Conclusion
The ss command utility is an easier and faster successor to the primitive netstat command. It provides advanced filtering options for socket and network statistics. Therefore, it is a must-know tool for network troubleshooting use cases.
You can follow the man page of the ss command for more details.
About The Author
Bobbin Zachariah
Bobbin Zachariah is an experienced Linux engineer who has been supporting infrastructure for many companies. He specializes in Shell scripting, AWS Cloud, JavaScript, and Nodejs. He has qualified Master's degree in computer science. He holds Red Hat Certified Engineer (RHCE) certification.
Comments