The ss command in Linux is the essential, high-performance tool for inspecting socket statistics, active connections, and listening services on modern distributions. Whether you're troubleshooting a server, auditing open ports, or identifying which process owns a connection, ss provides fast, kernel-level visibility that outperforms the legacy netstat tool. This guide explains ss syntax, common options, advanced filtering by port, address, and connection state, and practical examples for real-world diagnostics. Learn how to use numeric output, show process information, narrow results on busy systems, and interpret Recv-Q/Send-Q values so you can quickly locate issues and secure your server.
ss command: Basic Syntax and What It Shows
The basic ss invocation lists non-listening sockets by default. Use options to include listening sockets, filter by protocol (TCP/UDP), show process details, or return numeric ports. Below is the base command to list all sockets regardless of state.
ss -a Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 192.0.2.10:22 198.51.100.5:52874 tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:* unix LISTEN 0 4096 /var/run/docker.sock *
The -a option lists all sockets. Columns include Netid (socket type), State, receive/send queues, and local/peer address:port. Unix domain sockets show filesystem paths. This overview is the starting point for more focused queries.
Filter by Protocol: TCP, UDP, and Unix Sockets
Use protocol-specific flags to narrow output. Combined flags let you inspect listening sockets and include numeric addresses or process info. Wrapping multiple short flags is supported.
ss -t State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.0.2.10:ssh 198.51.100.5:52874 SYN-RECV 0 0 203.0.113.25:443 192.0.2.35:49212 LISTEN 0 128 0.0.0.0:http 0.0.0.0:*
The -t flag restricts output to TCP sockets. To view UDP only use -u, and Unix sockets with -x. Combining with -l shows listening sockets.
Show Listening Services and the Processes That Own Them
On servers you often need to know which process is bound to a port. Use the -tulpn combination to display TCP/UDP listening sockets with PIDs and numeric ports.
ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1345,fd=3))
tcp LISTEN 0 511 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=2489,fd=5))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=912,fd=6)) Flags: -t TCP, -u UDP, -l listening only, -p show processes, -n numeric. Running this requires root to see other users’ processes; use sudo for full visibility.
Show Process Information for Active Connections
To map established sockets back to processes, include the -p option. If you need numeric ports to enable reliable grepping, add -n.
sudo ss -tpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 192.0.2.10:22 198.51.100.5:52874 users:(("sshd",pid=1345,fd=5))
ESTAB 0 0 192.0.2.10:3306 203.0.113.50:58412 users:(("mysqld",pid=2765,fd=21)) Use sudo so -p reveals processes owned by other users. The Process column shows the executable name, PID, and file descriptor for the socket.
Numeric Output and Name Resolution
By default ss resolves ports to service names and sometimes hostnames. For scripting or to avoid DNS delays, use the -n flag to keep numeric addresses and ports.
ss -tn State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.0.2.10:22 198.51.100.5:52874 LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
The -n option is highly recommended in automation: port-based filters and greps are accurate when service names aren’t used.
Filter by Port, Address, and Connection State
ss supports expressive filters for source/destination ports and addresses, and connection states like ESTABLISHED, LISTEN, and TIME-WAIT. Use quoted expressions to avoid shell parsing issues.
ss -tnp 'dport = :443'
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 192.0.2.10:443 203.0.113.10:52344 users:(("nginx",pid=5671,fd=12)) Here ‘dport = :443’ filters by destination port 443. For source port use sport = :
Show Only IPv4 or IPv6 Sockets
When troubleshooting dual-stack servers, restrict output to IPv4 or IPv6 to reduce noise.
ss -tln -4 State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
Add -4 for IPv4 or -6 for IPv6. Combining with -l and -n provides clear, numeric listening endpoints per address family.
Socket Summary Statistics for a Quick Health Check
If you need a rapid, aggregate snapshot of socket counts by type and state, use the summary option. This is helpful on busy servers to detect unusual connection volumes.
ss -s Total: 412 TCP: 68 (estab 45, closed 3, orphaned 0, timewait 10) Transport Total IP IPv6 RAW 1 0 1 UDP 12 10 2 TCP 68 50 18 INET 81 60 21
The short summary shows totals and per-transport breakdown. Look for unusually high TIME-WAIT counts or a surge in ESTABLISHED connections as signs of heavy load or connection churn.
Practical Diagnostics: Examples and Patterns
Below are practical commands you will use regularly in incident response, capacity planning, and port audits. Each example includes the command and a realistic sample output to help you interpret results.
sudo ss -tlpn sport = :8080
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 0.0.0.0:8080 0.0.0.0:* users:(("java",pid=4210,fd=58)) This finds which service listens on port 8080. The Process field identifies a Java-based app bound on all interfaces.
ss -tn state ESTABLISHED State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.0.2.10:22 198.51.100.5:52874 ESTAB 0 0 192.0.2.10:3306 203.0.113.50:58412
Count or inspect active connections to identify heavy-use services. Piping to wc -l (ignoring header lines) gives a connection count.
ss -tn dst 203.0.113.10 State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.0.2.10:443 203.0.113.10:52344 ESTAB 0 0 192.0.2.10:80 203.0.113.10:48812
Use dst or src to focus on a specific remote host. This helps track who is communicating with the server.
Troubleshooting Tips and Interpreting Queues
Key signs to watch for: non-zero Recv-Q on a listening socket often indicates application backlog; non-zero Send-Q on established connections may indicate network congestion or a slow peer. TIME-WAIT accumulation can point to high connection churn; consider tuning TCP TIME-WAIT reuse if appropriate for your workload. If ss -p does not show processes, run under sudo. Use -n when grepping numeric ports to avoid missing matches due to service name resolution.
Conclusion
ss is the modern, high-performance replacement for netstat and should be part of every sysadmin's toolkit. With flexible filtering, numeric output, process mapping, and summary statistics, ss enables fast diagnosis of open sockets, listening services, and connection issues across IPv4 and IPv6. Use combined options like -tulpn for routine port audits, -tn state ESTABLISHED for connection analysis, and the built-in filter language to target specific ports or peers. Regular use of ss improves incident response speed and helps maintain secure, well-performing Linux servers.