ss (socket statistics) is a command line tool that monitors socket connections and displays the socket statistics of the Linux system. It can display stats for PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets, and much more.
This replaces the deprecated netstat command in the latest version of Linux. The ss command is much faster and prints more detailed network statistics than the netstat command.
If you are familiar with the netstat command, it will be easier for you to understand the ss command as it uses similar command line options to display network connections information.
Refer the following link to see other network command tutorials.
1) List all socket connections
The basic ss command without any arguments, which displays all the socket or network connections as shown below:
$ ss
Understanding the output header:
- Netid: Type of socket. Common types are TCP, UDP, u_str (Unix stream), and u_seq (Unix sequence).
- State: State of the socket. Common states are ESTAB (established), UNCONN (unconnected), LISTEN (listening), CLOSE-WAIT, and SYN-SENT.
- Recv-Q: Number of received packets in the queue.
- Send-Q: Number of sent packets in the queue.
- Local Address:Port – Address of local machine and port.
- Peer Address:Port – Address of remote machine and port.
The default output shows thousands of lines at once and part of the output will be not visible on the terminal, so use the ‘less’ command for page-wise reporting.
$ ss | less Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_seq ESTAB 0 0 @0000d 54585 * 54586 u_seq ESTAB 0 0 @0000e 54587 * 54588 u_seq ESTAB 0 0 @0000f 55132 * 55133 u_seq ESTAB 0 0 @00010 55134 * 55135 u_str ESTAB 0 0 * 439093 * 442955 u_str ESTAB 0 0 * 260423 * 260424 u_seq ESTAB 0 0 * 153096 * 153095 u_str ESTAB 0 0 * 57451 * 57450 u_str ESTAB 0 0 * 55382 * 49033 u_str ESTAB 0 0 * 41956 * 41957 u_seq ESTAB 0 0 * 41936 * 41935 u_str ESTAB 0 0 /run/user/1000/bus 39750 * 35633
2) View all socket connections
List all listening and non-listening sockets connections on your Linux system, run:
$ ss -a
3) View all listening socket
Display only listening sockets connections on your Linux system, run:
$ ss -l Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port nl UNCONN 0 0 rtnl:chrome/3578 * nl UNCONN 0 0 rtnl:kernel * nl UNCONN 0 0 rtnl:chrome/3618 * nl UNCONN 0 0 rtnl:mission-control/2102 * nl UNCONN 0 0 rtnl:atom/3381 * nl UNCONN 0 0 rtnl:goa-daemon/2107 * nl UNCONN 0 0 rtnl:firefox/2979 * nl UNCONN 0 0 rtnl:evolution-calen/2207 * nl UNCONN 0 0 rtnl:nscd/1262 * nl UNCONN 0 0 rtnl:gnome-software/2229 * nl UNCONN 0 0 rtnl:avahi-daemon/1184 * nl UNCONN 0 0 rtnl:evolution-addre/2329 * nl UNCONN 0 0 rtnl:wpa_supplicant/1547 *
4) Display TCP socket connections
Display only TCP sockets connections on your Linux system, run:
$ ss -t State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:38658 142.250.183.2:https ESTAB 0 0 192.168.43.4:47464 142.250.182.227:https ESTAB 0 0 192.168.43.4:40184 34.102.149.62:https ESTAB 0 0 192.168.43.4:34546 23.211.105.67:https ESTAB 0 0 192.168.43.4:41188 52.37.132.164:https ESTAB 0 0 192.168.43.4:34548 23.211.105.67:https ESTAB 0 0 192.168.43.4:57118 142.250.196.34:https ESTAB 0 0 192.168.43.4:59392 35.244.159.8:https ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh ESTAB 0 0 192.168.43.4:52680 142.250.77.34:https
By default the “t” option reports only the tcp sockets that are “established” or CONNECTED”, and doesn’t report the tcp sockets that are “LISTENING”. Use the ‘-a’ option together with ‘-t’, if you want to view them all at once.
$ ss -ta State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:* LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* LISTEN 0 10 0.0.0.0:daap 0.0.0.0:* ESTAB 0 0 192.168.43.4:38658 142.250.183.2:https ESTAB 0 0 192.168.43.4:47464 142.250.182.227:https ESTAB 0 0 192.168.43.4:40184 34.102.149.62:https ESTAB 0 0 192.168.43.4:45086 182.161.72.132:https ESTAB 0 0 192.168.43.4:41188 52.37.132.164:https ESTAB 0 0 192.168.43.4:59392 35.244.159.8:https ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh
4-a) Display UDP socket connections
$ ss -ua State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 192.168.43.4:46312 0.0.0.0:* UNCONN 0 0 224.0.0.251:mdns 0.0.0.0:* UNCONN 0 0 224.0.0.251:mdns 0.0.0.0:* UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* UNCONN 0 0 0.0.0.0:47347 0.0.0.0:* UNCONN 0 0 192.168.43.4:56078 0.0.0.0:* ESTAB 0 0 192.168.43.4%wlan0:bootpc 192.168.43.1:bootps UNCONN 0 0 [::]:mdns [::]:* UNCONN 0 0 [2402:3a80:462:e78:e4ca:8bb:a7ae:8888]:40157 [::]:* UNCONN 0 0 [::]:48993 [::]:* UNCONN 0 0 [2402:3a80:462:e78:e4ca:8bb:a7ae:8888]:33353 [::]:* ESTAB 0 0 [2402:3a80:462:e78:e4ca:8bb:a7ae:8888]:33597 [2404:6800:4009:809::2004]:https
4-b) Display UNIX socket connections
$ ss -xa Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_str LISTEN 0 128 /run/systemd/journal/stdout 13825 * 0 u_str LISTEN 0 128 /tmp/.ICE-unix/1989 36552 * 0 u_dgr UNCONN 0 0 /run/systemd/journal/socket 13827 * 0 u_str LISTEN 0 5 /tmp/.esd-1000/socket 40072 * 0 u_str LISTEN 0 1 /tmp/.X11-unix/X0 37262 * 0 u_str LISTEN 0 128 /run/user/1000/keyring/.ssh 514311 * 0 u_str LISTEN 0 128 @/tmp/.ICE-unix/1989 36551 * 0 u_str LISTEN 0 10 /run/mcelog/mcelog-client 28958 * 0 u_str LISTEN 0 128 /var/run/nscd/socket 29728 * 0 u_str LISTEN 0 1 @/tmp/.X11-unix/X0 37261 * 0
4-c) Display RAW socket connections
$ ss -wa State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:ipv6-icmp *:*
5) Print only listening TCP socket connections
To print only listening TCP socket connections, run:
$ ss -ltn State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 5 127.0.0.1:631 0.0.0.0:* LISTEN 0 100 127.0.0.1:25 0.0.0.0:* LISTEN 0 10 0.0.0.0:3689 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 5 [::1]:631 [::]:* LISTEN 0 100 [::1]:25 [::]:* LISTEN 0 10 [::]:3689 [::]:*
6) List IPv4 and Ipv6 socket connections
To display only IPv4 socket connections, run:
$ ss -4 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp ESTAB 0 0 192.168.43.4%wlan0:bootpc 192.168.43.1:bootps tcp ESTAB 0 0 192.168.43.4:41188 52.37.132.164:https tcp ESTAB 0 0 192.168.43.4:59392 35.244.159.8:https tcp ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh tcp CLOSE-WAIT 1 0 192.168.43.4:50232 35.244.247.133:https tcp ESTAB 0 0 192.168.43.4:51714 142.250.77.34:https tcp ESTAB 0 0 192.168.43.4:51724 142.250.77.34:https tcp ESTAB 0 0 192.168.43.4:56566 13.227.129.99:https tcp ESTAB 0 0 192.168.43.4:48470 142.250.183.98:https tcp ESTAB 0 0 192.168.43.4:56718 216.58.196.66:https
To list only IPv4 listening TCP socket connections, run:
$ ss -tl4 State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:* LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* LISTEN 0 10 0.0.0.0:daap 0.0.0.0:*
For IPv6, run:
$ ss -6
$ ss -tl6
7) Print process name and pid with ss command
To list process name and pid associated to the network connections, run: Make a note, you need to run this command with sudo privilege to view all process name and associated pid.
$ sudo ss -ltp
[sudo] password for root:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:(("sshd",pid=1338,fd=3))
LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:* users:(("cupsd",pid=1260,fd=7))
LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* users:(("master",pid=1630,fd=13))
LISTEN 0 10 0.0.0.0:daap 0.0.0.0:* users:(("rhythmbox",pid=16209,fd=18))
LISTEN 0 128 [::]:ssh [::]:* users:(("sshd",pid=1338,fd=4))
LISTEN 0 5 [::1]:ipp [::]:* users:(("cupsd",pid=1260,fd=6))
LISTEN 0 100 [::1]:smtp [::]:* users:(("master",pid=1630,fd=14))
LISTEN 0 10 [::]:daap [::]:* users:(("rhythmbox",pid=16209,fd=19))
8) Show timer information of socket connections
To show how long the socket connection is alive, run:
$ ss -tn -o State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:41188 52.37.132.164:443 timer:(keepalive,9min54sec,0) ESTAB 0 0 192.168.43.4:59392 35.244.159.8:443 ESTAB 0 0 192.168.43.4:50678 103.43.90.19:443 timer:(keepalive,9.512ms,0) ESTAB 0 0 192.168.43.4:49948 94.237.76.92:22 timer:(keepalive,38min,0) ESTAB 0 0 192.168.43.4:36528 182.161.72.130:443 ESTAB 0 0 192.168.43.4:48704 142.250.192.66:443 ESTAB 0 0 192.168.43.4:38544 103.43.89.4:443 timer:(keepalive,8sec,0) ESTAB 0 517 192.168.43.4:57978 182.161.72.137:443 timer:(on,288ms,0)
9) Print summary statistics
To view overall summary of all socket connections, run: It prints the results in a tabular format, which including the number of TCP & UDP, IPv4 and IPv6 socket connections.
$ ss -s Total: 1278 TCP: 35 (estab 10, closed 11, orphaned 0, timewait 2) Transport Total IP IPv6 RAW 1 0 1 UDP 11 7 4 TCP 24 13 11 INET 36 20 16 FRAG 0 0 0
10) View extended output of socket connections
To view extended output of socket connections, run. The extended output will display the uid of the socket and socket’s inode number.
$ ss -lte State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* ino:27515 sk:4dc <-> LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:* ino:30778 sk:4dd <-> LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* ino:34118 sk:4de <-> LISTEN 0 10 0.0.0.0:daap 0.0.0.0:* uid:1000 ino:442177 sk:586 <-> LISTEN 0 128 [::]:ssh [::]:* ino:27517 sk:4f3 v6only:1 <-> LISTEN 0 5 [::1]:ipp [::]:* ino:30777 sk:4f4 v6only:1 <-> LISTEN 0 100 [::1]:smtp [::]:* ino:34119 sk:4f5 v6only:1 <-> LISTEN 0 10 [::]:daap [::]:* uid:1000 ino:442178 sk:587 v6only:1 <->
11) Display memory usage of socket connections
To view how much memory is consumed by a socket connection, run:
$ ss -ltm
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:*
skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:*
skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN 0 10 0.0.0.0:daap 0.0.0.0:*
skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN 0 128 [::]:ssh [::]:*
skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN 0 5 [::1]:ipp [::]:*
skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN 0 100 [::1]:smtp [::]:*
skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN 0 10 [::]:daap [::]:*
skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
12) Filter Connections with ss command
The ss command allows advanced filtering that can be used to filter specific connections or stat or port or address or service, etc,.
12-a) Filtering socket connections by socket states
Syntax: ss [option] [state] [name of the socet state]
To display all tcp sockets that are in “listening” state, run:
$ ss -lt state established Recv-Q Send-Q Local Address:Port Peer Address:Port 0 0 192.168.43.4:39008 142.250.192.2:https 0 0 192.168.43.4:41188 52.37.132.164:https 0 0 192.168.43.4:59392 35.244.159.8:https 0 0 192.168.43.4:49948 94.237.76.92:ssh 0 0 192.168.43.4:48704 142.250.192.66:https 0 0 192.168.43.4:51714 142.250.77.34:https
The other common state can be:
- listening
- closed
- syn-sent
- syn-recv
- fin-wait-1
- time-wait
- close-wait
- connected
- synchronized
12-b) Filtering socket connections by port number
Syntax: ss [option] dport = :[port number] ss [option] sport = :[port number] ss [option] '( dport = :[port number] or sport = :[port number] )'
To filter sockets based on the port number, run. For instance, to filter ssh service, you can run the following commands as needed.
$ ss -at dport = :22 State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh
$ ss -lt sport = :22 State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 128 [::]:ssh [::]:*
$ ss -at dst :22 State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh
$ ss -at src :22 State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 128 [::]:ssh [::]:*
$ ss -at '( dport = :22 or sport = :22 )' State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh LISTEN 0 128 [::]:ssh [::]:*
To filter multiple ports at once, run:
$ ss -nt '( dst :443 or dst :22 )' State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:41188 52.37.132.164:443 ESTAB 0 0 192.168.43.4:44970 103.43.90.20:443 ESTAB 0 0 192.168.43.4:59392 35.244.159.8:443 ESTAB 0 0 192.168.43.4:43254 34.95.69.49:443 SYN-SENT 0 1 192.168.43.4:58884 182.161.72.137:443 ESTAB 0 0 192.168.43.4:49948 94.237.76.92:22 CLOSE-WAIT 1 0 192.168.43.4:50232 35.244.247.133:443
12-c) Filtering socket connections by service name
Similarly you can filter sockets connections based on the service name, run.
$ ss -at dport = :ssh State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh
$ ss -lt sport = :ssh State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 128 [::]:ssh [::]:*
$ ss -at dst :https State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:45084 103.43.90.20:https ESTAB 0 0 192.168.43.4:45076 103.43.90.20:https ESTAB 0 0 192.168.43.4:41188 52.37.132.164:https ESTAB 0 0 192.168.43.4:59392 35.244.159.8:https ESTAB 0 0 192.168.43.4:43254 34.95.69.49:https
$ ss -at src :ssh State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 128 [::]:ssh [::]:*
$ ss -at '( dport = :ssh or sport = :ssh )' State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh LISTEN 0 128 [::]:ssh [::]:*
$ ss -at '( dst :https or dst :ssh )' State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:41188 52.37.132.164:https ESTAB 0 0 192.168.43.4:59392 35.244.159.8:https ESTAB 0 0 192.168.43.4:49948 94.237.76.92:ssh CLOSE-WAIT 1 0 192.168.43.4:50232 35.244.247.133:https ESTAB 0 0 192.168.43.4:51714 142.250.77.34:https
$ ss -at '( dst :https or src :ssh )' State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* ESTAB 0 0 192.168.43.4:41188 52.37.132.164:https ESTAB 0 0 192.168.43.4:59392 35.244.159.8:https CLOSE-WAIT 1 0 192.168.43.4:50232 35.244.247.133:https ESTAB 0 0 192.168.43.4:51714 142.250.77.34:https
$ ss -at '( src :smtp or src :ssh )' State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* LISTEN 0 128 [::]:ssh [::]:* LISTEN 0 100 [::1]:smtp [::]:*
12-d) Filtering socket connections by IP address
To list connections to a specific destination IP address, run:
Syntax: ss [option] dst [IP Address]
For instance, to view a list of connection established to a specific IP address, run:
$ ss -at dst 192.168.43.40 State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.43.4:49948 192.168.43.40:ssh
ss command man page
If you want to explore any other options that are not available in this guide, visit ss command man page.
$ man ss
or
$ ss --help
Conclusion
In this guide, we have shown you how to use ss command in Linux with several examples, including various filtering options.
If you have any questions or feedback, feel free to comment below.
Hi,
Thanks a lot
nice article…