The ss command

Linux

The ss command is a powerful utility used to display socket statistics, providing detailed information about network connections, including TCP, UDP, and Unix domain sockets. ss is valuable for network troubleshooting, identifying open ports, monitoring connections, and analyzing network traffic.

1. Basic syntax
 ss [options] [ FILTER ]
2. Most used options

Here are the most frequently encountered options, which are far away from being exhaustive :

Option Description
-t Display TCP sockets
-u Display UDP sockets
-l Show only listening sockets
-a Show all sockets (listening and non-listening)
-n Show raw IP addresses and ports (no DNS/service name resolution)
-p Display process using the socket (needs root privileges)
-e Show extended socket information
-i Display internal TCP information
-o Show timer information (e.g., retransmits, timeouts)
-r Resolve IP addresses to hostnames
-s Show summary statistics for sockets
-4 Show only IPv4 sockets
-6 Show only IPv6 sockets
3. Practical examples:

3.1 List all sockets

ss

without any argument it will return a complete list of TCP sockets with established connections. Since the huge amount of information that can be returned we can send the result to a file : ss > output-result.txt

3.2 View tcp sockets only

ss -t -a

3.3 View udp sockets only 

ss -u -a

3.4 Listening sockets Here, the sockets waiting for an incoming connection 

ss -l

3.5 Established connections 

ss -e

3.6

4. Filtering with TCP states

According to man page, it is possible to filter using TCP states our ss command results. The syntax when using states :

For tcp ipv4:
ss -4 state FILTER

For tcp ipv6:
ss -6 state FILTER

Available Filters are:

  • established,
  • syn-sent,
  • syn-recv,
  • fin-wait-1,
  • fin-wait-2,
  • time-wait,
  • closed,
  • close-wait,
  • last-ack,
  • listening
  • closing.
  • all - for all the states
  • connected - all the states except for listening and closed
  • synchronized - all the connected states except for syn-sent
  • bucket - states, which are maintained as minisockets, i.e. time-wait and syn-recv
  • big - opposite to bucket
  • bound-inactive - bound but otherwise inactive sockets (not listening, connecting, etc.)
4.1 Examples Filtering with tcp states

Display http established connections :

ss -o state established '( dport = :http or sport = :http )'

Display all established ssh connections :

 ss -o state established '( dport = :ssh or sport = :ssh )'

View all listening IPv4 sockets on our server :

ss -4 state listening

Show all ports connected from remote address 192.168.1.100

ss dst 192.168.1.100

Show connection made by remote address 192.168.1.100 to our server by specific protocol :

ss dst 192.168.1.100:http
ss dst 192.168.1.100:443
ss dst 192.168.1.100:smtp

List ports connected to local 104.128.190.118 

ss src 104.128.190.118

List only http ports connected to local 104.128.190.118 

ss src 104.128.190.118:80

Sources : man page Nixcraft geeksforgeeks

Previous Post Next Post