ss command is a modern replacement for the classic
netstat. You can use it on Linux to get statistics about your network connections. How to work with this handy tool.
SS command versus netstat
A compensation for the depreciated
ss gives you detailed information about how your computer communicates with other computers, networks and services.
ss shows statistics for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Unix (interprocess) and raw sockets. Raw sockets work at the network OSI level, which means that TCP and UDP headers must be handled by the application software, not by the transport layer. Internet Control Message Protocol (ICMP) messages and the ping tool both use raw sockets.
You do not need to install
ss, as it is already part of a current Linux distribution. However, the production can be very long ̵
Because of this, we have included text representations of the results we got, as they would not fit in a screenshot. We have trimmed them to make them more manageable.
List network connections
ss without command line options, sockets that do not listen are listed. That is, it shows the sockets that are not in the listening state.
Type the following to see this:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str ESTAB 0 0 * 41826 * 41827 u_str ESTAB 0 0 /run/systemd/journal/stdout 35689 * 35688 u_str ESTAB 0 0 * 35550 * 35551 ... u_str ESTAB 0 0 * 38127 * 38128 u_str ESTAB 0 0 /run/dbus/system_bus_socket 21243 * 21242 u_str ESTAB 0 0 * 19039 * 19040 u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885 u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306 icmp6 UNCONN 0 0 *:ipv6-icmp *:* udp ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps
The columns are as follows:
- NetID: Type of outlet. In our example, we have “u_str”, a Unix stream, an “udp” and “icmp6”, an IP version 6 of ICMP. You can find more descriptions of Linux socket types on the Linux male pages.
- State: The condition in which the socket is in.
- Recv-Q: Number of packets received.
- Send-Q: The number of packages sent.
- Local address: Port: The local address and port (or equivalent values for Unix sockets).
- Peer Address: Port: Remote address and port (or equivalent values for Unix sockets).
For UDP sockets, the “Permission” column is usually empty. For TCP sockets, it can be one of the following:
- LISTEN: Server side only. The socket is waiting for a connection request.
- SYN is sent: Client side only. This socket has made a connection request and is waiting to see if it is accepted.
- SYN received: Server side only. This socket is waiting for a connection confirmation after accepting a connection request.
- ESTABLISHED: Servers and clients. A working connection has been established between the server and the client, which allows data to be transferred between the two.
- FIN-WAIT-1: Servers and clients. This socket is waiting for a request for termination of connection from the remote socket or a confirmation of a request for termination of connection that was previously sent from this socket.
- FIN-WAIT-2: Servers and clients. This socket is waiting for a request to end the connection from the remote socket.
- CLOSE WAIT: Server and client. This socket is waiting for a connection end request from the local user.
- CLOSING: Servers and clients. This socket is waiting for a confirmation of connection termination confirmation from the remote socket.
- LAST-ACK: Server and client. This socket is waiting for a confirmation of the connection termination request that it sent to the remote socket.
- TIME WAIT: Servers and clients. This socket sent a confirmation to the remote socket to announce that it received the remote socket. It is now waiting to ensure that confirmation has been received.
- CLOSED: There is no connection, so the outlet has been terminated.
Listing Listing Sockets
To see listening outlets, we add
-l (listening) options, so:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process nl UNCONN 0 0 rtnl:NetworkManager/535 * nl UNCONN 0 0 rtnl:evolution-addre/2987 * ... u_str LISTEN 0 4096 /run/systemd/private 13349 * 0 u_seq LISTEN 0 4096 /run/udev/control 13376 * 0 u_str LISTEN 0 4096 /tmp/.X11-unix/X0 33071 * 0 u_dgr UNCONN 0 0 /run/systemd/journal/syslog 13360 * 0 u_str LISTEN 0 4096 /run/systemd/fsck.progress 13362 * 0 u_dgr UNCONN 0 0 /run/user/1000/systemd/notify 32303 * 0
These sockets are all plugged in and listening. “Rtnl” means routing netlink, which is used to transfer information between kernels and userpace processes.
List all outlets
To list all outlets you can use
-a (all) options:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process nl UNCONN 0 0 rtnl:NetworkManager/535 * nl UNCONN 0 0 rtnl:evolution-addre/2987 * ... u_str LISTEN 0 100 public/showq 23222 * 0 u_str LISTEN 0 100 private/error 23225 * 0 u_str LISTEN 0 100 private/retry 23228 * 0 ... udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* ... tcp LISTEN 0 128 [::]:ssh [::]:* tcp LISTEN 0 5 [::1]:ipp [::]:* tcp LISTEN 0 100 [::1]:smtp [::]:*
The output contains all sockets regardless of condition.
List of TCP outlets
You can also use a filter so that only matching outlets are displayed. We will use
-t (TCP), so that only TCP sockets are listed:
ss -a -t
List of UDP outlets
-u The (UDP) option performs the same type of filter action. This time we only see UDP sockets:
ss -a -u
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process UNCONN 0 0 0.0.0.0:631 0.0.0.0:* UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:* UNCONN 0 0 0.0.0.0:60734 0.0.0.0:* UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:* ESTAB 0 0 192.168.4.28%enp0s3:bootpc 192.168.4.1:bootps UNCONN 0 0 [::]:mdns [::]:* UNCONN 0 0 [::]:51193 [::]:*
List of Unix outlets
If you can only see Unix sockets, you can include
-x (Unix) option, shown below:
ss -a -x
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str ESTAB 0 0 * 41826 * 41827 u_str ESTAB 0 0 * 23183 * 23184 u_str ESTAB 28 0 @/tmp/.X11-unix/X0 52640 * 52639 ... u_str ESTAB 0 0 /run/systemd/journal/stdout 18887 * 18885 u_str ESTAB 0 0 /run/dbus/system_bus_socket 19273 * 17306
List raw outlets
The filter for raw outlets is
-w (raw) alternative:
ss -a -w
List IP version 4 sockets
Sockets with the TCP / IP version 4 protocol can be listed using
-4 (IPV4) option:
ss -a -4
List IP version 5 sockets
You can turn on the matching IP version 6 filter with
-6 (IPV6) option, so:
ss -a -6
List withdrawals by state
You can specify withdrawals according to the condition they are in
state alternative. This works with established, listening or closed states. We also use the solution option (
-r), which tries to resolve network addresses for names and ports for protocols.
The following command looks for established TCP connections, and
ss will try to solve the names:
ss -t -r state established
Four connections are listed that are in the established state. The hostname ubuntu20-04 has been resolved and “ssh” is displayed instead of 22 for the SSH connection on the second line.
We can repeat this to look for outlets in the listening state:
ss -t -r state listening
Recv-Q Send-Q Local Address:Port Peer Address:Port Process 0 128 localhost:5939 0.0.0.0:* 0 4096 localhost%lo:domain 0.0.0.0:* 0 128 0.0.0.0:ssh 0.0.0.0:* 0 5 localhost:ipp 0.0.0.0:* 0 100 localhost:smtp 0.0.0.0:* 0 128 [::]:ssh [::]:* 0 5 ip6-localhost:ipp [::]:* 0 100 ip6-localhost:smtp [::]:*
List withdrawals by protocol
You can specify the outlets with a specific protocol with
sport options that represent the respective destination and source ports.
We write the following to list withdrawals with the HTTPS protocol on one
established connection (note the space after the open parenthesis and before the closing one):
ss -a state established ‘( dport = :https or sport = :https )’
We can use the protocol name or the port that is usually associated with that protocol. The default port for Secure Shell (SSH) is port 22.
We use the protocol name in a command and then repeat it with the port number:
ss -a ‘( dport = :ssh or sport = :ssh )’
ss -a ‘( dport = :22 or sport = :22 )’
As expected, we get the same result.
List connections to a specific IP address
dst (destination) option, we can list connections to a specific destination IP address.
We write the following:
ss -a dst 192.168.4.25
If you want to see which processes use the sockets, you can use the process option (
-p), shown below (note that you must use
sudo ss -t -p
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ESTAB 0 0 192.168.4.28:57650 220.127.116.11:https users:(("firefox",pid=3378,fd=151)) ESTAB 0 0 192.168.4.28:ssh 192.168.4.25:43946 users:(("sshd",pid=4086,fd=4),("sshd",pid=3985,fd=4))
This shows us that the two established connections on TCP sockets are used by the SSH daemon and Firefox.
A worthy successor
ss the command provides the same information previously provided by
netstat, but in a simpler and more accessible way. You can check out the men page for more options and tips.