Monitoring network connection using ss command
A very useful tool in administering a Linux network is the ss command. You can identify socket statistics with this command. The ss command is very similar to the netstat command. However, you can gain more useful information about TCP and state information with the ss command.
The ss command is fast. Information is very fast when you are searching. The netstat command can seem very slow in comparison to this tool. If you need to track sockets and TCP connections, the ss command can help you. ss command can provide information about:
- All TCP sockets.
- All UDP sockets.
- All established ssh / ftp / http / https connections.
- All local processes connected to X server.
- Filtering by state (such as connected, synchronized, SYN-RECV, SYN-SENT,TIME-WAIT), addresses and ports.
- All the tcp sockets in state FIN-WAIT-1 and much more.
In this article explain how to use ss command on linux system.
Example usage ss command
The syntax of ss command is :
# ss [ OPTIONS ]
or
# ss [ OPTIONS ] [ FILTER ]
1. List all connection
Type following command to list out all connections:
# ss | more
Example output:
rasho@Gandalf ~ $ ss |more Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_str ESTAB 0 0 * 219827 * 220601 u_str ESTAB 0 0 @/tmp/.X11-unix/X0 223495 * 223494 u_str ESTAB 0 0 * 220663 * 220044 u_str ESTAB 0 0 @/tmp/.X11-unix/X0 220453 * 219708 u_str ESTAB 0 0 @/tmp/dbus-elWbPTCWlq 223497 * 223496 ............................ tcp ESTAB 0 0 192.168.1.2:33643 68.232.35.139:https tcp ESTAB 0 0 192.168.1.2:56529 54.236.180.90:9999 tcp ESTAB 0 0 192.168.1.2:45982 31.13.81.128:https tcp ESTAB 0 0 192.168.1.2:50923 173.194.70.84:https tcp ESTAB 0 0 192.168.1.2:39490 23.63.85.109:http tcp ESTAB 0 0 192.168.1.2:42899 79.101.110.89:https
2. List all TCP, UDP and Unix connection
List all TCP connection
To list all TCP connection use -t option:
# ss -t
Note: By default the “-t” options report only “ESTABLISHED” or “CONNECTED” connections. If use the “-ta” option report show all TCP connections (connected and listening).
List all UDP connection
To list all UDP connection use -u option:
# ss -ua
Note:The “-ua” option tells ss to report both “CONNECTED” and “LISTENING” sockets.
List all Unix connection
To list all UDP connection use -x option:
# ss -x
3. Sumary statistics report
To print sumary statistics use “-s” option:
# ss -s
4. Display all open network ports
To display all open network ports, do ss -l as shown below.
# ss -l
5. Display only IPv4 or IPv6 socket connections
To display only IPv4 socket connections use the ‘-f inet‘ or ‘-4‘ option.
# ss -tl -f inet
or
# ss -tl -4
Example output:
# ss -tl -f inet State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 *:microsoft-ds *:* LISTEN 0 50 *:netbios-ssn *:* LISTEN 0 5 127.0.1.1:domain *:* LISTEN 0 128 *:ssh *:* LISTEN 0 128 127.0.0.1:ipp *:*
To display only IPv6 socket connections use the ‘-f inet6‘ or ‘-6‘ option.
# ss -tl -f inet6
or
# ss -tl -6
Example output:
# ss -tl -6 State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 :::microsoft-ds :::* LISTEN 0 50 :::netbios-ssn :::* LISTEN 0 128 :::ssh :::* LISTEN 0 128 ::1:ipp :::*
6. Do not resolve hostname
Use the “-n” option if you wish prevent ss command to resolving ip addresses to hostnames.
# ss -tn
7. Show timer information
To display timer information use the ‘-o‘ option:
# ss -tn -o
8. Filter connections using TCP states
The syntax is as follows:
## tcp ipv4 ## ss -4 state FILTER-NAME-HERE ## tcp ipv6 ## ss -6 state FILTER-NAME-HERE
Where FILTER-NAME-HERE can be any one of the following,
- established
- syn-sent
- syn-recv
- fin-wait-1
- fin-wait-2
- time-wait
- closed
- close-wait
- last-ack
- listen
- closing
- all : All of the above states
- connected : All the states except for listen and closed
- synchronized : All the connected states except for syn-sent
- bucket : Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
- big : Opposite to bucket state.
That’s is all! For more information about ss command see man page:
# man ss
Surprised I didn’t see my personal favourite.
List all ports you are listening to nd which service listening
% sudo ss -nlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:80 *:* users:(("nginx",1430,7),("nginx",1429,7),("nginx",1428,7),("nginx",1427,7),("nginx",1426,7)) LISTEN 0 128 127.0.0.1:28017 *:* users:(("mongod",11491,8)) LISTEN 0 128 127.0.0.1:5939 *:* users:(("teamviewerd",2067,14)) LISTEN 0 128 127.0.0.1:631 *:* users:(("cupsd",837,9)) LISTEN 0 128 ::1:631 :::* users:(("cupsd",837,8)) LISTEN 0 128 *:3000 *:* users:(("gulp",31585,11)) LISTEN 0 100 *:11192 *:* users:(("skype",2211,34)) LISTEN 0 128 *:3001 *:* users:(("gulp",31585,14)) LISTEN 0 128 *:3002 *:* users:(("gulp",31585,12)) LISTEN 0 128 *:4000 *:* users:(("node",31316,11)) LISTEN 0 128 127.0.0.1:27017 *:* users:(("mongod",11491,6))