How to use the command 'ss' (with examples)
- Linux
- December 25, 2023
The command ‘ss’ (socket statistics) is a utility that provides information about socket connections. It can be used to investigate various types of sockets, filter sockets by states, display processes connected to sockets, and more.
Use case 1: Show all TCP/UDP/RAW/UNIX sockets
Code:
ss -a -t|-u|-w|-x
Motivation: This use case is helpful when you need to get a comprehensive overview of all TCP, UDP, RAW, and UNIX sockets currently active on your system.
Explanation:
-aoption: Display all sockets, including listening and non-listening sockets.-t,-u,-w,-xoptions: Filter the sockets by type.-tfor TCP sockets,-ufor UDP sockets,-wfor RAW sockets, and-xfor UNIX sockets.
Example output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.0.10:49676 123.45.67.89:443
Use case 2: Filter TCP sockets by states, only/exclude
Code:
ss state/exclude bucket/big/connected/synchronized/...
Motivation: This use case allows you to filter TCP sockets based on their states, such as connected, synchronized, etc. This can be useful for troubleshooting or monitoring purposes.
Explanation:
state/excludeargument: Filter the TCP sockets based on their state. Multiple state options can be provided, separated by commas.
Example output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.0.10:49676 123.45.67.89:443
Use case 3: Show all TCP sockets connected to the local HTTPS port (443)
Code:
ss -t src :443
Motivation: This use case allows you to specifically identify all TCP sockets that are connected to the local HTTPS port (443). This can give you insights into the connections established on the secure web browsing protocol.
Explanation:
-toption: Filter the sockets to show only TCP sockets.src :443argument: Filter the sockets based on the source port being any and the destination port being 443.
Example output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.0.10:49676 123.45.67.89:443
Use case 4: Show all TCP sockets listening on the local 8080 port
Code:
ss -lt src :8080
Motivation: This use case allows you to identify all TCP sockets actively listening on the local port 8080. This is useful when you want to check which processes or services are using a specific port.
Explanation:
-loption: Only show listening sockets.-toption: Filter the sockets to show only TCP sockets.src :8080argument: Filter the sockets based on the source port being any and the destination port being 8080.
Example output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 0 192.168.0.10:8080 *:*
Use case 5: Show all TCP sockets along with processes connected to a remote ssh port
Code:
ss -pt dst :ssh
Motivation: This use case allows you to identify all TCP sockets connected to a remote SSH port along with the processes associated with those connections. This can be useful for monitoring SSH connections or identifying suspicious activity.
Explanation:
-poption: Show the processes associated with the sockets.-toption: Filter the sockets to show only TCP sockets.dst :sshargument: Filter the sockets based on the destination port being any and the source port being the standard SSH port (22).
Example output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 192.168.0.10:49676 123.45.67.89:22 sshd
Use case 6: Show all UDP sockets connected on specific source and destination ports
Code:
ss -u 'sport == :source_port and dport == :destination_port'
Motivation: This use case allows you to filter UDP sockets based on specific source and destination ports. This is helpful when you want to monitor UDP connections between specific endpoints.
Explanation:
-uoption: Filter the sockets to show only UDP sockets.'sport == :source_port and dport == :destination_port'argument: Filter the sockets based on the source port beingsource_portand the destination port beingdestination_port.
Example output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.0.10:49676 123.45.67.89:443
Use case 7: Show all TCP IPv4 sockets locally connected on the subnet 192.168.0.0/16
Code:
ss -4t src 192.168/16
Motivation: This use case allows you to specifically filter TCP sockets that are locally connected on a specific IP subnet. This can help identify connections within a specific network range.
Explanation:
-4option: Filter the sockets to show only IPv4 sockets.-toption: Filter the sockets to show only TCP sockets.src 192.168/16argument: Filter the sockets based on the source IP being in the subnet 192.168.0.0/16.
Example output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.0.10:49676 123.45.67.89:443
Use case 8: Kill IPv4 or IPv6 Socket Connection with destination IP 192.168.1.17 and destination port 8080
Code:
ss --kill dst 192.168.1.17 dport = 8080
Motivation: This use case allows you to terminate a specific IPv4 or IPv6 socket connection with a given destination IP and port. This is useful when you want to forcefully close a connection to troubleshoot or manage network activity.
Explanation:
--killoption: Terminate the specified socket connection.dst 192.168.1.17argument: Filter the sockets with the destination IP being 192.168.1.17.dport = 8080argument: Filter the sockets with the destination port being 8080.
Example output: (No output is displayed if the connection is successfully terminated)
Conclusion:
The ‘ss’ command is a powerful utility for investigating sockets and can be used in various ways to filter and display socket connections. Whether you need to monitor network activity, troubleshoot connection issues, or identify specific types of sockets or processes, the ‘ss’ command provides a flexible and efficient solution.
