How to Use the 'ss' Command (with examples)

How to Use the 'ss' Command (with examples)

The ss command, often likened to the more traditional netstat, is a powerful utility for investigating sockets on Unix-like systems. It provides detailed information on network connections, socket statistics, and performance metrics. By offering a quicker execution and more detailed display in some areas than netstat, ss is a preferred tool for network diagnostics and analysis.

Show All TCP/UDP/RAW/UNIX Sockets

Code:

ss -a -t|-u|-w|-x

Motivation:

Network administrators and users often need to get a comprehensive overview of all the active sockets on their system. Whether it’s to troubleshoot network issues, monitor system activity, or check for unauthorized connections, having a broad view of current TCP, UDP, RAW, and UNIX sockets is crucial for managing network resources effectively.

Explanation:

  • -a: This flag makes ss display all sockets, both listening and non-listening (established) ones.
  • -t: Specifies that the command should show TCP sockets.
  • -u: Specifies that the command should show UDP sockets.
  • -w: Specifies that the command should show RAW sockets.
  • -x: Specifies that the command should show UNIX domain sockets.

Example Output:

Netid  State      Recv-Q Send-Q  Local Address:Port   Peer Address:Port
tcp    ESTAB      0      0       192.168.1.5:ssh      192.168.1.10:33842
udp    UNCONN     0      0       0.0.0.0:bootpc       0.0.0.0:*
unix   STREAM     0      0       /run/user/1000/bus   0

Filter TCP Sockets by States, Only/Exclude

Code:

ss state/exclude bucket/big/connected/synchronized/...

Motivation:

In-depth monitoring of network states is often required to manage and optimize network performance. By filtering TCP sockets based on their state, users can quickly understand the health and state of their network connections and take necessary actions such as identifying failed connections or overly congested networks.

Explanation:

  • state/exclude: Filters the output based on the TCP state. state shows only sockets that are in the specified states, while exclude hides them from the output.
  • bucket, big, connected, synchronized, ...: These are examples of different states or filters that can be applied, such as bucket for specific congestion management states or synchronized for well-established connections.

Example Output:

Netid  State      Recv-Q Send-Q  Local Address:Port   Peer Address:Port
tcp    SYN-SENT   0      1       192.168.1.5:40065    203.0.113.1:http

Show All TCP Sockets Connected to the Local HTTPS Port (443)

Code:

ss -t src :443

Motivation:

Monitoring traffic on specific ports, especially common service ports like HTTPS (443), is essential for web servers to ensure secure and reliable connectivity. This can help administrators confirm that secure web service communications are performing as expected.

Explanation:

  • -t: Shows only TCP sockets, which are typically used for HTTPS connections.
  • src :443: Filters the output to include only those TCP sockets where the source port is 443, indicating secure HTTPS traffic.

Example Output:

Netid  State      Recv-Q Send-Q  Local Address:Port   Peer Address:Port
tcp    ESTAB      0      0       192.0.2.5:https      198.51.100.14:52546

Show All TCP Sockets Listening on the Local 8080 Port

Code:

ss -lt src :8080

Motivation:

Port 8080 is often used for web traffic, usually in development or local testing scenarios. Administrators can use this command to verify which services are actively listening for incoming connections on this port to ensure their applications are set up correctly.

Explanation:

  • -l: Lists only the sockets that are currently in a listening state.
  • -t: Shows only TCP sockets.
  • src :8080: Filters for sockets where the source port is 8080, commonly used for web servers or proxy handlers.

Example Output:

Netid  State      Recv-Q Send-Q  Local Address:Port   Peer Address:Port
tcp    LISTEN     0      128     0.0.0.0:http-alt     0.0.0.0:*

Show All TCP Sockets Along with Processes Connected to a Remote SSH Port

Code:

ss -pt dst :ssh

Motivation:

SSH is an essential protocol for secure remote administration. By examining all processes connected via SSH, administrators can keep track of remote interactions with their machines, ensuring secure and intentional connections.

Explanation:

  • -p: Includes process information in the output for each socket.
  • -t: Shows only TCP sockets.
  • dst :ssh: Filters for sockets where the destination port is ssh (22 by default), indicating connections to the SSH service.

Example Output:

Netid  State      Recv-Q Send-Q  Local Address:Port   Peer Address:Port   Process
tcp    ESTAB      0      0       192.168.1.5:35022    192.168.1.10:ssh    users:(("ssh",pid=10293,fd=10))

Show All UDP Sockets Connected on Specific Source and Destination Ports

Code:

ss -u 'sport == :source_port and dport == :destination_port'

Motivation:

UDP applications like streaming services require precise tracking of traffic for specific source and destination ports, aiding in performance metrics or troubleshooting. Using this command, administrators can target and review particular UDP connections.

Explanation:

  • -u: Shows only UDP sockets.
  • 'sport == :source_port and dport == :destination_port': Filters the UDP sockets to include only those connections with the specific source and destination ports, allowing customized inspection of different UDP services.

Example Output:

Netid  State      Recv-Q Send-Q  Local Address:Port   Peer Address:Port
udp    UNCONN     0      0       192.168.1.5:60984    203.0.113.2:17000

Show All TCP IPv4 Sockets Locally Connected on the Subnet 192.168.0.0/16

Code:

ss -4t src 192.168/16

Motivation:

Identifying TCP IPv4 connections within a specific local subnet is vital for network management and security assessments. This provides insight into internal communications, helping to optimize internal network performance and detect any anomalies.

Explanation:

  • -4: Restricts the output to IPv4 sockets only.
  • -t: Show only TCP sockets.
  • src 192.168/16: Filters the connections that are sourced from the specified local subnet, useful for intranet tracking.

Example Output:

Netid  State      Recv-Q Send-Q  Local Address:Port   Peer Address:Port
tcp    ESTAB      0      0       192.168.1.5:40210    192.168.2.3:http

Kill IPv4 or IPv6 Socket Connection with Destination IP 192.168.1.17 and Destination Port 8080

Code:

ss --kill dst 192.168.1.17 dport = 8080

Motivation:

Sometimes connections need to be terminated forcefully to stop malicious data flow or to manage network resources better. This is especially true for undesired connections at specific IPs and ports, where immediate intervention is required.

Explanation:

  • --kill: Forcefully terminates the specified socket connection.
  • dst 192.168.1.17: Indicates the destination IP address of the connection.
  • dport = 8080: Specifies the destination port of the connection to be killed, typically used for web traffic.

Example Output:

Killed connection: 192.168.1.17:8080

Conclusion:

The ss command is an invaluable tool in the network administrator’s toolkit. Through its myriad of filtering and display options, it provides deep insights into the active sockets on the machine, allowing for enhanced diagnostics, monitoring, and control over network communications. Whether you’re filtering specific types of connections, examining traffic on particular ports, or terminating unwanted network activity, ss offers powerful capabilities essential for effective network management.

Tags :

Related Posts

How to use the command 'pamtopng' (with examples)

How to use the command 'pamtopng' (with examples)

The pamtopng command is a part of the Netpbm suite, designed to convert images in the PAM (Portable Arbitrary Map) format to the more universally recognized PNG (Portable Network Graphics) format.

Read More
Kubeflow: Powering the Future of Machine Learning Workflows

Kubeflow: Powering the Future of Machine Learning Workflows

In the fast-paced world of machine learning and artificial intelligence, efficiency and scalability are crucial.

Read More
Using the Command 'sqlite3' (with Examples)

Using the Command 'sqlite3' (with Examples)

SQLite3 is a powerful command-line interface to SQLite 3, a self-contained, file-based embedded SQL engine that provides full database functionalities.

Read More