قالب وردپرس درنا توس
Home / Tips and Tricks / How to use the ss command on Linux

How to use the ss command on Linux



A terminal window on a Linux laptop system.
Fatmawati Achmad Zaenuri / Shutterstock

The ss command is a modern replacement for the classic netstat. You can use it on Linux to get statistics about your network connections. How to work with this handy tool.

SS command versus netstat

A compensation for the depreciated netstat command, ss gives you detailed information about how your computer communicates with other computers, networks and services.

ss shows statistics for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Unix (interprocess) and raw sockets. Raw sockets work at the network OSI level, which means that TCP and UDP headers must be handled by the application software, not by the transport layer. Internet Control Message Protocol (ICMP) messages and the ping tool both use raw sockets.

Use ss

You do not need to install ss, as it is already part of a current Linux distribution. However, the production can be very long ̵

1; we have received results that contain over 630 lines. The results are also very broad.

Because of this, we have included text representations of the results we got, as they would not fit in a screenshot. We have trimmed them to make them more manageable.

List network connections

Using ss without command line options, sockets that do not listen are listed. That is, it shows the sockets that are not in the listening state.

Type the following to see this:

ss

ss in a terminal window

Output of ss in a terminal window.

Netid State Recv-Q Send-Q          Local Address:Port Peer Address:Port   Process
u_str ESTAB 0      0                           * 41826           * 41827
u_str ESTAB 0      0 /run/systemd/journal/stdout 35689           * 35688
u_str ESTAB 0      0                           * 35550           * 35551
...
u_str ESTAB 0      0                           * 38127           * 38128
u_str ESTAB 0      0 /run/dbus/system_bus_socket 21243           * 21242
u_str ESTAB 0      0                           * 19039           * 19040
u_str ESTAB 0      0 /run/systemd/journal/stdout 18887           * 18885 
u_str ESTAB 0      0 /run/dbus/system_bus_socket 19273           * 17306
icmp6 UNCONN 0     0                           *:ipv6-icmp       *:*
udp   ESTAB 0      0         192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps

The columns are as follows:

  • NetID: Type of outlet. In our example, we have “u_str”, a Unix stream, an “udp” and “icmp6”, an IP version 6 of ICMP. You can find more descriptions of Linux socket types on the Linux male pages.
  • State: The condition in which the socket is in.
  • Recv-Q: Number of packets received.
  • Send-Q: The number of packages sent.
  • Local address: Port: The local address and port (or equivalent values ​​for Unix sockets).
  • Peer Address: Port: Remote address and port (or equivalent values ​​for Unix sockets).

For UDP sockets, the “Permission” column is usually empty. For TCP sockets, it can be one of the following:

  • LISTEN: Server side only. The socket is waiting for a connection request.
  • SYN is sent: Client side only. This socket has made a connection request and is waiting to see if it is accepted.
  • SYN received: Server side only. This socket is waiting for a connection confirmation after accepting a connection request.
  • ESTABLISHED: Servers and clients. A working connection has been established between the server and the client, which allows data to be transferred between the two.
  • FIN-WAIT-1: Servers and clients. This socket is waiting for a request for termination of connection from the remote socket or a confirmation of a request for termination of connection that was previously sent from this socket.
  • FIN-WAIT-2: Servers and clients. This socket is waiting for a request to end the connection from the remote socket.
  • CLOSE WAIT: Server and client. This socket is waiting for a connection end request from the local user.
  • CLOSING: Servers and clients. This socket is waiting for a confirmation of connection termination confirmation from the remote socket.
  • LAST-ACK: Server and client. This socket is waiting for a confirmation of the connection termination request that it sent to the remote socket.
  • TIME WAIT: Servers and clients. This socket sent a confirmation to the remote socket to announce that it received the remote socket. It is now waiting to ensure that confirmation has been received.
  • CLOSED: There is no connection, so the outlet has been terminated.

Listing Listing Sockets

To see listening outlets, we add -l (listening) options, so:

ss -l

ss -li a terminal window.

Netid State  Recv-Q Send-Q               Local Address:Port                  Peer Address:Port Process 
nl    UNCONN 0      0                             rtnl:NetworkManager/535                * 
nl    UNCONN 0      0                             rtnl:evolution-addre/2987              * 
...
u_str LISTEN 0      4096          /run/systemd/private 13349                            * 0 
u_seq LISTEN 0      4096             /run/udev/control 13376                            * 0 
u_str LISTEN 0      4096             /tmp/.X11-unix/X0 33071                            * 0 
u_dgr UNCONN 0      0      /run/systemd/journal/syslog 13360                            * 0 
u_str LISTEN 0      4096    /run/systemd/fsck.progress 13362                            * 0 
u_dgr UNCONN 0      0    /run/user/1000/systemd/notify 32303                            * 0

These sockets are all plugged in and listening. “Rtnl” means routing netlink, which is used to transfer information between kernels and userpace processes.

List all outlets

To list all outlets you can use -a (all) options:

ss -a

ss -ai a terminal window.

Netid State  Recv-Q Send-Q    Local Address:Port                 Peer Address:Port    Process 
nl    UNCONN 0      0                  rtnl:NetworkManager/535               * 
nl    UNCONN 0      0                  rtnl:evolution-addre/2987 * 
...
u_str LISTEN 0      100       public/showq 23222                            * 0 
u_str LISTEN 0      100      private/error 23225                            * 0 
u_str LISTEN 0      100      private/retry 23228                            * 0 
...
udp   UNCONN 0      0             0.0.0.0:631                         0.0.0.0:* 
udp   UNCONN 0      0             0.0.0.0:mdns                        0.0.0.0:* 
...
tcp   LISTEN 0      128              [::]:ssh                            [::]:* 
tcp   LISTEN 0      5               [::1]:ipp                            [::]:* 
tcp   LISTEN 0      100             [::1]:smtp                           [::]:*

The output contains all sockets regardless of condition.

List of TCP outlets

You can also use a filter so that only matching outlets are displayed. We will use -t (TCP), so that only TCP sockets are listed:

ss -a -t

  ss -a -ti a terminal window.

List of UDP outlets

The -u The (UDP) option performs the same type of filter action. This time we only see UDP sockets:

ss -a -u

ss -a -ui a terminal window.

State  Recv-Q Send-Q    Local Address:Port Peer   Address:Port Process 
UNCONN 0      0               0.0.0.0:631         0.0.0.0:* 
UNCONN 0      0               0.0.0.0:mdns        0.0.0.0:* 
UNCONN 0      0               0.0.0.0:60734       0.0.0.0:* 
UNCONN 0      0         127.0.0.53%lo:domain      0.0.0.0:* 
ESTAB 0       0    192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps 
UNCONN 0      0                   [::]:mdns          [::]:* 
UNCONN 0      0                   [::]:51193         [::]:*

List of Unix outlets

If you can only see Unix sockets, you can include -x (Unix) option, shown below:

ss -a -x

ss -a -xi a terminal window.

Netid State Recv-Q Send-Q               Local Address:Port  Peer Address:Port    Process 
u_str ESTAB 0      0                                * 41826            * 41827 
u_str ESTAB 0      0                                * 23183            * 23184 
u_str ESTAB 28     0               @/tmp/.X11-unix/X0 52640            * 52639 
...
u_str ESTAB 0      0      /run/systemd/journal/stdout 18887            * 18885 
u_str ESTAB 0      0      /run/dbus/system_bus_socket 19273            * 17306

List raw outlets

The filter for raw outlets is -w (raw) alternative:

ss -a -w

ss -a -wi a terminal window.

List IP version 4 sockets

Sockets with the TCP / IP version 4 protocol can be listed using -4 (IPV4) option:

ss -a -4

ss -a -4 in a terminal window.

List IP version 5 sockets

You can turn on the matching IP version 6 filter with -6 (IPV6) option, so:

ss -a -6

ss -a -6 in a terminal window.

List withdrawals by state

You can specify withdrawals according to the condition they are in state alternative. This works with established, listening or closed states. We also use the solution option (-r), which tries to resolve network addresses for names and ports for protocols.

The following command looks for established TCP connections, and ss will try to solve the names:

ss -t -r state established

ss -t -r state established in a terminal window.

Four connections are listed that are in the established state. The hostname ubuntu20-04 has been resolved and “ssh” is displayed instead of 22 for the SSH connection on the second line.

We can repeat this to look for outlets in the listening state:

ss -t -r state listening

ss -t -r state listens in a terminal window.

Recv-Q Send-Q Local Address:Port   Peer Address:Port Process 
0      128        localhost:5939        0.0.0.0:* 
0      4096    localhost%lo:domain      0.0.0.0:* 
0      128          0.0.0.0:ssh         0.0.0.0:* 
0      5          localhost:ipp         0.0.0.0:* 
0      100        localhost:smtp        0.0.0.0:* 
0      128             [::]:ssh         [::]:* 
0      5      ip6-localhost:ipp         [::]:* 
0      100    ip6-localhost:smtp        [::]:*

List withdrawals by protocol

You can specify the outlets with a specific protocol with dport and sport options that represent the respective destination and source ports.

We write the following to list withdrawals with the HTTPS protocol on one established connection (note the space after the open parenthesis and before the closing one):

ss -a state established ‘( dport = :https or sport = :https )’

ss-a state established '(dport =: https or sport =: https)' in a terminal window.

We can use the protocol name or the port that is usually associated with that protocol. The default port for Secure Shell (SSH) is port 22.

We use the protocol name in a command and then repeat it with the port number:

ss -a ‘( dport = :ssh or sport = :ssh )’
ss -a ‘( dport = :22 or sport = :22 )’

ss -a '(dport =: ssh or sport =: ssh)' in a terminal window.

As expected, we get the same result.

List connections to a specific IP address

With dst (destination) option, we can list connections to a specific destination IP address.

We write the following:

ss -a dst 192.168.4.25

ss -a dst 192.168.4.25 in a terminal window.

Identify processes

If you want to see which processes use the sockets, you can use the process option (-p), shown below (note that you must use sudo):

sudo ss -t -p

sudo ss -t -pi a terminal window.

State Recv-Q Send-Q  Local Address:Port   Peer Address:Port  Process 
ESTAB 0      0       192.168.4.28:57650  54.218.19.119:https users:(("firefox",pid=3378,fd=151)) 
ESTAB 0      0       192.168.4.28:ssh     192.168.4.25:43946 users:(("sshd",pid=4086,fd=4),("sshd",pid=3985,fd=4))

This shows us that the two established connections on TCP sockets are used by the SSH daemon and Firefox.

A worthy successor

The ss the command provides the same information previously provided by netstat, but in a simpler and more accessible way. You can check out the men page for more options and tips.




Source link