How to use SS command in Linux
The ss command is a powerful tool for troubleshooting and analyzing network connections in a Linux system. It is a successor to the netstat command, which has been deprecated in many modern Linux distributions. ss provides more information and has more options than netstat, making it a useful tool for network administrators and system administrators.
ss command syntax:
$ ss [options] [ FILTER ]
ss command options:
-h, --help |
Show summary of options. |
-V, --version |
Output version information |
-H, --no-header |
Suppress header line. |
-O, --oneline |
Print each socket's data on a single line. |
-n, --numeric |
Do not try to resolve service names. Show exact bandwidth values, instead of human-readable. |
-r, --resolve |
Try to resolve numeric address/ports. |
-a, --all |
Display both listening and non-listening (for TCP this means established connections) sockets. |
-l, --listening |
Display only listening sockets (these are omitted by default). |
-o, --options |
Show timer information. |
-e, --extended |
Show detailed socket information. |
-m, --memory |
Show socket memory usage. |
-p, --processes |
Show process using socket. |
-i, --info |
Show internal TCP information. |
--tos |
Show Type of Service (ToS) and priority information. |
--cgroup |
Show cgroup information. |
-K, --kill |
Attempts to forcibly close sockets. This option displays sockets that are successfully closed and silently skips sockets that the kernel does not support closing. It supports IPv4 and IPv6 sockets only. |
-s, --summary |
Print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful. |
-E, --events |
Continually display sockets as they are destroyed. As the -p option but also shows process security context. |
-Z, --context |
As the -Z option but also shows the socket context. |
-N NSNAME, --net=NSNAME |
Switch to the specified network namespace name. |
-b, --bpf |
Show socket BPF filters (only administrator/root user are allowed to get these information). |
-4, --ipv4 |
Display only IP version 4 sockets (alias for -f inet). |
-6, --ipv6 |
Display only IP version 6 sockets (alias for -f inet6). |
-0, --packet |
Display PACKET sockets (alias for -f link). |
-t, --tcp |
Display TCP sockets. |
-u, --udp |
Display UDP sockets. |
-d, --dccp |
Display DCCP sockets. |
-w, --raw |
Display RAW sockets. |
-x, --unix |
Display Unix domain sockets (alias for -f unix). |
-S, --sctp |
Display SCTP sockets. |
--vsock |
Display vsock sockets (alias for -f vsock). |
--xdp |
Display XDP sockets (alias for -f xdp). |
--inet-sockopt |
Display inet socket options. |
-f FAMILY, --family=FAMILY |
Display sockets of type FAMILY. Currently the following families are supported: unix, inet, inet6, link, netlink, vsock, xdp. |
-A QUERY, --query=QUERY, --socket=QUERY |
List of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram, xdp Any item in the list may optionally be prefixed by an exclamation mark (!) to exclude that socket table from being dumped. |
-D FILE, --diag=FILE |
Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is - stdout is used. |
-F FILE, --filter=FILE |
Read filter information from FILE. Each line of FILE is interpreted like single command line option. If FILE is - stdin is used. |
Example usage of ss command:
To use the ss command, open a terminal and type ss followed by any desired options and arguments. Some common options and arguments include:
- Show all listening TCP ports, including the corresponding process.
-
$ ss -tlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 5 0.0.0.0:900 0.0.0.0:*
LISTEN 0 5 127.0.0.1:8998 0.0.0.0:*
LISTEN 0 128 127.0.0.1:44309 0.0.0.0:*
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 4096 *:922 *:*
LISTEN 0 4096 *:970 *:*
LISTEN 0 4096 *:980 *:*
LISTEN 0 128 [::]:ssh [::]:*
- Display timer information.
-
$ ss -tno
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 127.0.0.1:33616 127.0.0.1:22 timer:(keepalive,11sec,0)
ESTAB 0 0 127.0.0.1:22 127.0.0.1:33616 timer:(keepalive,108min,0)
ESTAB 0 0 127.0.0.1:22 127.0.0.1:33632 timer:(keepalive,108min,0)
ESTAB 0 0 127.0.0.1:33632 127.0.0.1:22 timer:(keepalive,,0)
ESTAB 0 0 [::ffff:172.17.0.4]:980 [::ffff:10.191.235.12]:47894 timer:(keepalive,,0)
ESTAB 0 0 [::ffff:172.17.0.4]:980 [::ffff:10.191.238.12]:56680 timer:(keepalive,11sec,0)
- Show all TCP/UDP/RAW/UNIX sockets:ss -a -t|-u|-w|-x
You can also use the ss command to display specific sockets or connections by specifying the protocol, local address, local port, peer address, or peer port as an argument. For example, to display all listening TCP sockets on port 8089, you can use the following command:
$ ss -tl 'sport = :8089'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:8089 0.0.0.0:*
Conclusion
The ss command is a powerful and useful tool for troubleshooting and analyzing network connections in a Linux system. It provides more information and options than the deprecated netstat command and is an essential tool for network administrators and system administrators.
