The ss (socket statistics) command provides a lot of information by displaying details on socket activity. One way to get started, although this may be a bit overwhelming, is to use the ss -h (help) command to get a listing of the command’s numerous options. Another is to try some of the more useful commands and get an idea what each of them can tell you.<\/p>\n
One very useful command is the ss -s command. This command will show you some overall stats by transport type. In this output, we see stats for RAW, UDP, TCP, INET and FRAG sockets.<\/p>\n
$ ss -s
\nTotal: 524
\nTCP: 8 (estab 1, closed 0, orphaned 0, timewait 0)<\/p>\n
Transport Total IP IPv6
\nRAW 2 1 1
\nUDP 7 5 2
\nTCP 8 6 2
\nINET 17 12 5
\nFRAG 0 0 0<\/p>\n
Clearly the by-protocol lines above aren’t displaying the totality of the socket activity. The figure in the Total line at the top of the output indicates that there is a lot more going on than the by-type lines suggest. Still, these breakdowns can be very useful.<\/p>\n
If you want to see a list of all socket activity, you can use the ss -a command, but be prepared to see a lot<\/i> of activity \u2014 as suggested by this output. Much of the socket activity on this system is local to the system being examined.<\/p>\n
$ ss -a | wc -l
\n555<\/p>\n
If you want to see a specific category of socket activity:<\/p>\n
The a in each of the commands above means “all”.<\/p>\n
The ss command without arguments will display all established connections. Notice that only two of the connections shown below are for external connections \u2014 two other systems on the local network. A significant portion of the output below has been omitted for brevity.<\/p>\n
$ ss | more
\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port
\nu_str ESTAB 0 0 * 20863 * 20864
\nu_str ESTAB 0 0 * 32232 * 33018
\nu_str ESTAB 0 0 * 33147 * 3257544ddddy
\nu_str ESTAB 0 0 \/run\/user\/121\/bus 32796 * 32795
\nu_str ESTAB 0 0 \/run\/user\/121\/bus 32574 * 32573
\nu_str ESTAB 0 0 * 32782 * 32783
\nu_str ESTAB 0 0 \/run\/systemd\/journal\/stdout 19091 * 18113
\nu_str ESTAB 0 0 * 769568 * 768429
\nu_str ESTAB 0 0 * 32560 * 32561
\nu_str ESTAB 0 0 @\/tmp\/dbus-8xbBdjNe 33155 * 33154
\nu_str ESTAB 0 0 \/run\/systemd\/journal\/stdout 32783 * 32782
\n\u2026
\ntcp ESTAB 0 64 192.168.0.16:ssh 192.168.0.6:25944
\ntcp ESTAB 0 0 192.168.0.16:ssh 192.168.0.6:5385<\/p>\n
To see just established tcp connections, use the -t option.<\/p>\n
$ ss -t
\nState Recv-Q Send-Q Local Address:Port Peer Address:Port
\nESTAB 0 64 192.168.0.16:ssh 192.168.0.6:25944
\nESTAB 0 0 192.168.0.16:ssh 192.168.0.9:5385<\/p>\n
To display only listening sockets, try ss -lt.<\/p>\n
$ ss -lt
\nState Recv-Q Send-Q Local Address:Port Peer Address:Port
\nLISTEN 0 10 127.0.0.1:submission 0.0.0.0:*
\nLISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:*
\nLISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
\nLISTEN 0 5 127.0.0.1:ipp 0.0.0.0:*
\nLISTEN 0 10 127.0.0.1:smtp 0.0.0.0:*
\nLISTEN 0 128 [::]:ssh [::]:*
\nLISTEN 0 5 [::1]:ipp [::]:*<\/p>\n
If you’d prefer to see port number than service names, try ss -ltn instead:<\/p>\n
$ ss -ltn
\nState Recv-Q Send-Q Local Address:Port Peer Address:Port
\nLISTEN 0 10 127.0.0.1:587 0.0.0.0:*
\nLISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
\nLISTEN 0 128 0.0.0.0:22 0.0.0.0:*
\nLISTEN 0 5 127.0.0.1:631 0.0.0.0:*
\nLISTEN 0 10 127.0.0.1:25 0.0.0.0:*
\nLISTEN 0 128 [::]:22 [::]:*
\nLISTEN 0 5 [::1]:631 [::]:*<\/p>\n
Plenty of help is available for the ss command either through the man page or by using the -h (help) option as shown below:<\/p>\n
$ ss -h
\nUsage: ss [ OPTIONS ]
\nss [ OPTIONS ] [ FILTER ]
\n-h, –help this message
\n-V, –version output version information
\n-n, –numeric don’t resolve service names
\n-r, –resolve resolve host names
\n-a, –all display all sockets
\n-l, –listening display listening sockets
\n-o, –options show timer information
\n-e, –extended show detailed socket information
\n-m, –memory show socket memory usage
\n-p, –processes show process using socket
\n-i, –info show internal TCP information
\n–tipcinfo show internal tipc socket information
\n-s, –summary show socket usage summary
\n-b, –bpf show bpf filter socket information
\n-E, –events continually display sockets as they are destroyed
\n-Z, –context display process SELinux security contexts
\n-z, –contexts display process and socket SELinux security contexts
\n-N, –net switch to the specified network namespace name<\/p>\n
-4, –ipv4 display only IP version 4 sockets
\n-6, –ipv6 display only IP version 6 sockets
\n-0, –packet display PACKET sockets
\n-t, –tcp display only TCP sockets
\n-S, –sctp display only SCTP sockets
\n-u, –udp display only UDP sockets
\n-d, –dccp display only DCCP sockets
\n-w, –raw display only RAW sockets
\n-x, –unix display only Unix domain sockets
\n–tipc display only TIPC sockets
\n–vsock display only vsock sockets
\n-f, –family=FAMILY display sockets of type FAMILY
\nFAMILY :=<\/p>\n
-K, –kill forcibly close sockets, display what was closed
\n-H, –no-header Suppress header line<\/p>\n
-A, –query=QUERY, –socket=QUERY
\nQUERY := [,QUERY]<\/p>\n
-D, –diag=FILE Dump raw information about TCP sockets to FILE
\n-F, –filter=FILE read filter information from FILE
\nFILTER := [ state STATE-FILTER ] [ EXPRESSION ]
\nSTATE-FILTER :=
\nTCP-STATES := |time-wait|closed|close-wait|last-ack|listening|closing}
\nconnected := |time-wait|close-wait|last-ack|closing}
\nsynchronized := |time-wait|close-wait|last-ack|closing}
\nbucket :=
\nbig := |closed|close-wait|last-ack|listening|closing}<\/p>\n
The ss command clearly offers a huge range of options for examining sockets, but you still might want to turn those that provide you with the most useful information into aliases to make them more memorable. For example:<\/p>\n
$ alias listen=”ss -lt”
\n$ alias socksum=”ss -s”<\/p>\n