How to Use the 'ss' Command (with examples)
- Linux
- December 17, 2024
The ss
command, often likened to the more traditional netstat
, is a powerful utility for investigating sockets on Unix-like systems. It provides detailed information on network connections, socket statistics, and performance metrics. By offering a quicker execution and more detailed display in some areas than netstat
, ss
is a preferred tool for network diagnostics and analysis.
Show All TCP/UDP/RAW/UNIX Sockets
Code:
ss -a -t|-u|-w|-x
Motivation:
Network administrators and users often need to get a comprehensive overview of all the active sockets on their system. Whether it’s to troubleshoot network issues, monitor system activity, or check for unauthorized connections, having a broad view of current TCP, UDP, RAW, and UNIX sockets is crucial for managing network resources effectively.
Explanation:
-a
: This flag makesss
display all sockets, both listening and non-listening (established) ones.-t
: Specifies that the command should show TCP sockets.-u
: Specifies that the command should show UDP sockets.-w
: Specifies that the command should show RAW sockets.-x
: Specifies that the command should show UNIX domain sockets.
Example Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.5:ssh 192.168.1.10:33842
udp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:*
unix STREAM 0 0 /run/user/1000/bus 0
Filter TCP Sockets by States, Only/Exclude
Code:
ss state/exclude bucket/big/connected/synchronized/...
Motivation:
In-depth monitoring of network states is often required to manage and optimize network performance. By filtering TCP sockets based on their state, users can quickly understand the health and state of their network connections and take necessary actions such as identifying failed connections or overly congested networks.
Explanation:
state/exclude
: Filters the output based on the TCP state.state
shows only sockets that are in the specified states, whileexclude
hides them from the output.bucket, big, connected, synchronized, ...
: These are examples of different states or filters that can be applied, such asbucket
for specific congestion management states orsynchronized
for well-established connections.
Example Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp SYN-SENT 0 1 192.168.1.5:40065 203.0.113.1:http
Show All TCP Sockets Connected to the Local HTTPS Port (443)
Code:
ss -t src :443
Motivation:
Monitoring traffic on specific ports, especially common service ports like HTTPS (443), is essential for web servers to ensure secure and reliable connectivity. This can help administrators confirm that secure web service communications are performing as expected.
Explanation:
-t
: Shows only TCP sockets, which are typically used for HTTPS connections.src :443
: Filters the output to include only those TCP sockets where the source port is 443, indicating secure HTTPS traffic.
Example Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.0.2.5:https 198.51.100.14:52546
Show All TCP Sockets Listening on the Local 8080 Port
Code:
ss -lt src :8080
Motivation:
Port 8080 is often used for web traffic, usually in development or local testing scenarios. Administrators can use this command to verify which services are actively listening for incoming connections on this port to ensure their applications are set up correctly.
Explanation:
-l
: Lists only the sockets that are currently in a listening state.-t
: Shows only TCP sockets.src :8080
: Filters for sockets where the source port is 8080, commonly used for web servers or proxy handlers.
Example Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:http-alt 0.0.0.0:*
Show All TCP Sockets Along with Processes Connected to a Remote SSH Port
Code:
ss -pt dst :ssh
Motivation:
SSH is an essential protocol for secure remote administration. By examining all processes connected via SSH, administrators can keep track of remote interactions with their machines, ensuring secure and intentional connections.
Explanation:
-p
: Includes process information in the output for each socket.-t
: Shows only TCP sockets.dst :ssh
: Filters for sockets where the destination port isssh
(22 by default), indicating connections to the SSH service.
Example Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp ESTAB 0 0 192.168.1.5:35022 192.168.1.10:ssh users:(("ssh",pid=10293,fd=10))
Show All UDP Sockets Connected on Specific Source and Destination Ports
Code:
ss -u 'sport == :source_port and dport == :destination_port'
Motivation:
UDP applications like streaming services require precise tracking of traffic for specific source and destination ports, aiding in performance metrics or troubleshooting. Using this command, administrators can target and review particular UDP connections.
Explanation:
-u
: Shows only UDP sockets.'sport == :source_port and dport == :destination_port'
: Filters the UDP sockets to include only those connections with the specific source and destination ports, allowing customized inspection of different UDP services.
Example Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 192.168.1.5:60984 203.0.113.2:17000
Show All TCP IPv4 Sockets Locally Connected on the Subnet 192.168.0.0/16
Code:
ss -4t src 192.168/16
Motivation:
Identifying TCP IPv4 connections within a specific local subnet is vital for network management and security assessments. This provides insight into internal communications, helping to optimize internal network performance and detect any anomalies.
Explanation:
-4
: Restricts the output to IPv4 sockets only.-t
: Show only TCP sockets.src 192.168/16
: Filters the connections that are sourced from the specified local subnet, useful for intranet tracking.
Example Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.5:40210 192.168.2.3:http
Kill IPv4 or IPv6 Socket Connection with Destination IP 192.168.1.17 and Destination Port 8080
Code:
ss --kill dst 192.168.1.17 dport = 8080
Motivation:
Sometimes connections need to be terminated forcefully to stop malicious data flow or to manage network resources better. This is especially true for undesired connections at specific IPs and ports, where immediate intervention is required.
Explanation:
--kill
: Forcefully terminates the specified socket connection.dst 192.168.1.17
: Indicates the destination IP address of the connection.dport = 8080
: Specifies the destination port of the connection to be killed, typically used for web traffic.
Example Output:
Killed connection: 192.168.1.17:8080
Conclusion:
The ss
command is an invaluable tool in the network administrator’s toolkit. Through its myriad of filtering and display options, it provides deep insights into the active sockets on the machine, allowing for enhanced diagnostics, monitoring, and control over network communications. Whether you’re filtering specific types of connections, examining traffic on particular ports, or terminating unwanted network activity, ss
offers powerful capabilities essential for effective network management.