Skip to content
Linux Academy by Uirá Ribeiro

SS command on Linux (investigate the network)

The ss command on Linux is extremely useful for investigating sockets, providing various information about the network. It is the evolution of the netstat command from the old Net-Tools. It is important to understand that a socket can be a network connection, as well as a Unix-like socket, which is a special file that acts as a “communication bridge” between two programs.

Your most common options are:

  • -a: list all sockets;
  • -r: resolve IP addresses and ports by service names;
  • -n: does not resolve IP addresses and ports for services;
  • -l: lists only open ports (LISTEN);
  • -e: shows detailed information about the socket;
  • -m: shows the socket’s memory allocation;
  • -p: shows the process that owns the socket;
  • -i: shows TCP statistics about the socket;
  • -K: forces a socket to close;

-s: shows network statistics;

  • -t: filters only TCP packets;
  • -u: filters only UDP packets;
  • -4: filters only IPv4 packets;
  • -6: filters only IPv6 packets;

Some options may be combined to form a given result.

Examples:

To view network statistics:

$ ss -s <br></br>Total: 1020 <br></br>TCP: 25 (estab 2, closed 1, orphaned 0, timewait 1) <br></br>Transport Total IP IPv6 <br></br>RAW 1 0 1 <br></br>UDP 9 6 3 <br></br>TCP 24 22 2 <br></br>INET 34 28 6 <br></br>FRAG 0 0 0

To view open TCP ports (under LISTENING):

$ ss -lt <br></br>State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.53% lo:domain 0.0.0.0: *
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0: *
LISTEN 0 128 [::] :ssh [::] :*

To show the open TCP and UDP ports and the processes that own the sockets. To show the processes, the user must be the root administrator, or using sudo command to gain superpowers:

# ss -ltpu
Netid State Local Address
udo UNCONN 127.0.0. 1:323 users :( (“chronyd”, pid=20898, fd=5))
tcp LISTEN 0.0.0.0:ssh users: ((“sshd”, pid=9857, fd=3))

Shows all connections established on port (22) of ssh:

$ ss -o state established '(dport =:ssh or sport =:ssh)' <br></br>Netid Recv-Q Send-Q Local Address:Port Peer Address:Port <br></br>TCP 0 0 10.211.55.63:ssh& nbsp; 10,211.55. 2:64749 timer :( keepalive,104 min,0)

This command is useful for diagnosing the following problems:

  • Check which network services are running (-l)
  • Check the amount of memory consumed by a socket (-m)
  • Check the processes that own the sockets (-p)
  • Check established connections (-o state established)
  • Check the amount of data traveled on a connection TCP (-i)