Cyberithub

25 Useful Linux SS Command Examples to Monitor Network Connections

In this article, I will take you through 25 Useful Linux ss command examples to monitor Network Connections. If you are familiar with netstat tool in Linux then it will be easy for you to understand Linux ss command which is more advanced version of netstat command. Using Linux ss command you can check more information about TCP and UDP Socket connections.

You will find this command available by default in most of the Linux Based Systems hence you don’t have to install it separately. We will go through different Linux ss command examples below to understand the various usages of this command.

Syntax

ss [options] [ FILTER ]

25 Useful Linux SS Command Examples to Monitor Network Connections 1

Linux ss command examples

Also Read: How to use gcloud for GCP Login in 2 Best Steps

Example 1. Check Linux ss command version

If you want to check Linux ss command version then you need to use ss --version command as shown below.

[root@localhost ~]# ss --version
ss utility, iproute2-ss170501

–version : Output version information.

NOTE:

Please note that here I am using root user to run all the below commands.You can use any user with sudo access to run all these commands.For more information Please check Step by Step: How to Add User to Sudoers to provide sudo access to User.

Example 2. Display all Listening and Non-Listening Sockets

To check all Listening and Non-Listening sockets connection you need to use ss -a command as shown below. Using Linux ss command with -a option will show you the output in great detail.

[root@localhost ~]# ss -a
Netid State      Recv-Q Send-Q Local Address:Port Peer      Address: Port
nl    UNCONN         0     0     rtnl:kernel                   *
nl    UNCONN         0     0     rtnl:NetworkManager/706       *
nl    UNCONN         0     0     rtnl:NetworkManager/706       *
nl    UNCONN       768     0     tcpdiag:kernel                *
nl    UNCONN       4352    0     tcpdiag:ss/3535               *
nl    UNCONN         0     0     xfrm:kernel                   *
nl    UNCONN         0     0     selinux:kernel                *
nl    UNCONN         0     0     selinux:dbus-daemon/676       *

-a : Display both listening and non-listening (for TCP this means established connections) sockets.

Example 3. Display Socket Memory Usages using Linux ss command

If you want to check memory usages by each socket connections then you need to run ss -m command as shown below.

[root@localhost ~]# ss -m
Netid State Recv-Q Send-Q Local Address:Port                 Peer Address:Port
u_str ESTAB    0      0      * 18190                              * 18191        skmem:(r0,rb212992,t0,tb212992,f0,w0,o0,bl0,d0)
u_str ESTAB    0      0      * 18205                              * 18206        skmem:(r0,rb212992,t0,tb212992,f0,w0,o0,bl0,d0)
u_str ESTAB    0      0      * 12931                              * 12932        skmem:(r0,rb212992,t0,tb16777216,f0,w0,o0,bl0,d0)
u_str ESTAB    0      0 /run/dbus/system_bus_socket 18036         * 18035        skmem:(r0,rb212992,t0,tb212992,f0,w0,o0,bl0,d0)
u_str ESTAB    0      0      * 18194                              * 18193        skmem:(r0,rb212992,t0,tb212992,f0,w0,o0,bl0,d0)
u_str ESTAB    0      0      * 14731                              * 14732        skmem:(r0,rb212992,t0,tb16777216,f0,w0,o0,bl0,d0)
u_str ESTAB    0      0 /run/dbus/system_bus_socket 15072         * 15050        skmem:(r0,rb212992,t0,tb212992,f0,w0,o0,bl0,d0)
u_str ESTAB    0      0      * 18178                              * 18179        skmem:(r0,rb212992,t0,tb212992,f0,w0,o0,bl0,d0)

-m : Show socket memory usage.

Example 4. Display Only Listening Sockets using Linux ss command

If you want to see only Listening sockets connection then you need to run ss -l command as shown below. This is very important Linux ss command example where you can check all active Listening connections. This is often used during network troubleshooting.

[root@localhost ~]# ss -l
Netid  State  Recv-Q Send-Q   Local Address:Port     Peer Address:Port
nl     UNCONN   0       0      rtnl:kernel                  *
nl     UNCONN   0       0    rtnl:NetworkManager/706        *
nl     UNCONN   0       0    rtnl:NetworkManager/706        *
nl     UNCONN  4352     0      tcpdiag:ss/3621              *
nl     UNCONN  768      0      tcpdiag:kernel               *
nl     UNCONN   0       0      xfrm:kernel                  *
nl     UNCONN   0       0      selinux:kernel               *
nl     UNCONN   0       0    selinux:dbus-daemon/676        *
nl     UNCONN   0       0     selinux:systemd/1             *

-l : Display only listening sockets (these are omitted by default).

Example 5. Run Linux ss command without Any Option

You can run Linux ss command to check all the active socket and packet connections as shown in below output.

[root@localhost ~]# ss
Netid State Recv-Q Send-Q     Local Address:Port                 Peer Address:Port
u_str ESTAB    0      0            * 18190                          * 18191
u_str ESTAB    0      0            * 18205                          * 18206
u_str ESTAB    0      0            * 12931                          * 12932
u_str ESTAB    0      0     /run/dbus/system_bus_socket 18036       * 18035
u_str ESTAB    0      0            * 18194                          * 18193
u_str ESTAB    0      0            * 14731                          * 14732
u_str ESTAB    0      0     /run/dbus/system_bus_socket 15072       * 15050
u_str ESTAB    0      0            * 18178                          * 18179
u_str ESTAB    0      0     /run/systemd/journal/stdout 15603       * 15602
u_str ESTAB    0      0            * 18209                          * 18208
u_str ESTAB    0      0            * 17389                          * 17390
u_str ESTAB    0      0            * 18163                          * 18164
u_str ESTAB    0      0            * 15068                          * 15069

Example 6. Display Only TCP Sockets using Linux ss command

If you only want to check TCP socket connections then you need to use ss -t command as shown below.

[root@localhost ~]# ss -t
State  Recv-Q  Send-Q   Local Address:Port   Peer Address:Port
ESTAB    0       64      192.168.0.101:ssh   192.168.0.102:6761

-t : Display TCP sockets.

Example 7. Display only TCP Listening Connections Using Linux ss command

If you are interested in checking all Listening TCP connections only then you need to use ss -lt command as shown below.

[root@localhost ~]# ss -lt
State    Recv-Q Send-Q Local Address:Port    Peer Address:Port
LISTEN      0     100     127.0.0.1:smtp           *:*
LISTEN      0     128        *:ssh                 *:*
LISTEN      0     100        [::1]:smtp           [::]:*
LISTEN      0     128        [::]:ssh             [::]:*

Example 8. List all Unix Domain Sockets Using Linux ss command

If you want to list the connections in Unix Domain Sockets type then you need to use ss -x command as shown below.

[root@localhost ~]# ss -x
Netid State  Recv-Q Send-Q     Local Address:Port              Peer Address:Port
u_str ESTAB     0      0              * 18190                     * 18191
u_str ESTAB     0      0              * 18205                     * 18206
u_str ESTAB     0      0              * 12931                     * 12932
u_str ESTAB     0      0    /run/dbus/system_bus_socket 18036     * 18035
u_str ESTAB     0      0              * 18194                     * 18193
u_str ESTAB     0      0              * 14731                     * 14732
u_str ESTAB     0      0    /run/dbus/system_bus_socket 15072     * 15050
u_str ESTAB     0      0              * 18178                     * 18179
u_str ESTAB     0      0    /run/systemd/journal/stdout 15603     * 15602
u_str ESTAB     0      0              * 18209                     * 18208
u_str ESTAB     0      0              * 17389                     * 17390
u_str ESTAB     0      0              * 18163                     * 18164

-x : Display Unix domain sockets (alias for -f unix).

Example 9. Show Detailed Socket Information Using Linux ss command

If you want to check detailed information about socket connections then you need to use ss -e command as shown below.

[root@localhost ~]# ss -e
Netid  State   Recv-Q Send-Q   Local Address:Port                 Peer Address:Port
u_str  ESTAB       0     0           * 18190                        * 18191 <->
u_str  ESTAB       0     0           * 18205                        * 18206 <->
u_str  ESTAB       0     0           * 12931                        * 12932 -->
u_str  ESTAB       0     0     /run/dbus/system_bus_socket 18036    * 18035 <->
u_str  ESTAB       0     0           * 18194                        * 18193 <->
u_str  ESTAB       0     0           * 14731                        * 14732 -->
u_str  ESTAB       0     0     /run/dbus/system_bus_socket 15072    * 15050

-e : Show detailed socket information

Example 10. Suppress Header Information in the Output

If you want to suppress header information in Linux ss command output then you need to use ss -H command as shown below.

[root@localhost ~]# ss -H
u_str ESTAB 0 0          * 18190                  * 18191
u_str ESTAB 0 0          * 18205                  * 18206
u_str ESTAB 0 0          * 12931                  * 12932
u_str ESTAB 0 0 /run/dbus/system_bus_socket 18036 * 18035
u_str ESTAB 0 0          * 18194                  * 18193
u_str ESTAB 0 0          * 14731                  * 14732
u_str ESTAB 0 0 /run/dbus/system_bus_socket 15072 * 15050
u_str ESTAB 0 0          * 18178                  * 18179
u_str ESTAB 0 0 /run/systemd/journal/stdout 15603 * 15602
u_str ESTAB 0 0          * 18209                  * 18208
u_str ESTAB 0 0          * 17389                  * 17390
u_str ESTAB 0 0          * 18163                  * 18164
u_str ESTAB 0 0          * 15068                  * 15069
u_str ESTAB 0 0 /run/dbus/system_bus_socket 15541 * 15540

-H : Suppress header line.

Example 11. Show Timer Information using Linux ss command 

If you want to check the timer information then you need to use ss -o command as shown below.

[root@localhost ~]# ss -o
Netid State Recv-Q Send-Q        Local Address:Port        Peer Address:Port
u_str ESTAB    0      0              * 18190                    * 18191
u_str ESTAB    0      0              * 18205                    * 18206
u_str ESTAB    0      0              * 12931                    * 12932
u_str ESTAB    0      0   /run/dbus/system_bus_socket 18036     * 18035
u_str ESTAB    0      0              * 18194                    * 18193
u_str ESTAB    0      0              * 14731                    * 14732
u_str ESTAB    0      0   /run/dbus/system_bus_socket 15072     * 15050
u_str ESTAB    0      0              * 18178                    * 18179
u_str ESTAB    0      0   /run/systemd/journal/stdout 15603     * 15602
u_str ESTAB    0      0              * 18209                    * 18208
u_str ESTAB    0      0              * 17389                    * 17390
u_str ESTAB    0      0              * 18163                    * 18164
u_str ESTAB    0      0              * 15068                    * 15069
u_str ESTAB    0      0   /run/dbus/system_bus_socket 15541     * 15540
u_str ESTAB    0      0              * 18182                    * 18181
u_str ESTAB    0      0   /run/systemd/journal/stdout 17260     * 17259
u_str ESTAB    0      0              * 18167                    * 18166
u_str ESTAB    0      0              * 18202                    * 18203
u_str ESTAB    0      0              * 18217                    * 18218
u_str ESTAB    0      0              * 18173                    * 18172
u_str ESTAB    0      0              * 18206                    * 18205
u_str ESTAB    0      0              * 14991                    * 15070
u_str ESTAB    0      0              * 18191                    * 18190
u_str ESTAB    0      0              * 18149                    * 18150
u_str ESTAB    0      0              * 18156                    * 18157
u_str ESTAB    0      0              * 18169                    * 18170
u_str ESTAB    0      0              * 18153                    * 18154
u_str ESTAB    0      0              * 18196                    * 18197
u_str ESTAB    0      0              * 15428                    * 15429
u_str ESTAB    0      0              * 18211                    * 18212

tcp ESTAB 0 1232 192.168.0.101:ssh 192.168.0.102:6761 timer:(on,220ms,0)

-o : Show timer information.

Example 12. Display Summary Stats Using Linux ss command

If you want to check the summary of Socket state then you need to use ss -s command as shown below.

[root@localhost ~]# ss -s
Total: 180 (kernel 228)
TCP: 5 (estab 1, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0

Transport Total IP IPv6
*          228   -   -
RAW         0    0   0
UDP         3    2   1
TCP         5    3   2
INET        8    5   3
FRAG        0    0   0

-s : Print summary statistics.

Example 13. Display Only IPV4 Scokets Using Linux ss command

If you want to display all IPV4 socket connections only then you need to use ss -4 command as shown below.

[root@localhost ~]# ss -4
Netid  State  Recv-Q Send-Q  Local Address:Port  Peer Address:Port
tcp    ESTAB     0     64    192.168.0.101:ssh   192.168.0.102:6761

-4 : Display only IP version 4 sockets

Example 14. Display IPV4 Listening Connections Only Using Linux ss command

If you want to display all IPV4 Listening Connections only then you need to use ss -l4 command as shown below.

[root@localhost ~]# ss -l4
Netid  State   Recv-Q Send-Q   Local Address:Port    Peer Address:Port
udp    UNCONN     0      0           *:bootpc              *:*
udp    UNCONN     0      0         127.0.0.1:323           *:*
tcp    LISTEN     0     100        127.0.0.1:smtp          *:*
tcp    LISTEN     0     128             *:ssh              *:*

Example 15. Display IPV6 Listening Connections Only

If you want to see all Listening IPV6 connections only then you need to use ss -l6 command as shown below.

[root@localhost ~]# ss -l6
Netid  State    Recv-Q  Send-Q       Local Address:Port   Peer Address:Port
udp    UNCONN       0     0               [::1]:323           [::]:*
tcp    LISTEN       0    100              [::1]:smtp          [::]:*
tcp    LISTEN       0    128              [::]:ssh            [::]:*

-6 : Display only IP version 6 sockets.

Example 16. Show Socket BPF Filters Using Linux ss command

If you want to list all Socket BPF Filters then you need to use ss -b command as shown below.

[root@localhost ~]# ss -b
Netid State Recv-Q Send-Q    Local Address:Port                Peer Address:Port
u_str ESTAB    0      0            * 18190                          * 18191
u_str ESTAB    0      0            * 18205                          * 18206
u_str ESTAB    0      0            * 12931                          * 12932
u_str ESTAB    0      0     /run/dbus/system_bus_socket 18036       * 18035
u_str ESTAB    0      0           * 18194                           * 18193
u_str ESTAB    0      0           * 14731                           * 14732
u_str ESTAB    0      0     /run/dbus/system_bus_socket 15072       * 15050
u_str ESTAB    0      0           * 18178                           * 18179
u_str ESTAB    0      0     /run/systemd/journal/stdout 15603       * 15602
u_str ESTAB    0      0           * 18209                           * 18208
u_str ESTAB    0      0           * 17389                           * 17390
u_str ESTAB    0      0           * 18163                           * 18164

-b : Show socket BPF filters (only administrators are allowed to get these information)

Example 17. List all UDP Connections Using Linux ss command

If you want to check all udp Listening connections only then you need to use ss -lu command as shown below.

[root@localhost ~]# ss -lu
State     Recv-Q Send-Q     Local Address:Port    Peer Address:Port
UNCONN       0      0             *:bootpc             *:*
UNCONN       0      0           127.0.0.1:323          *:*
UNCONN       0      0              [::1]:323          [::]:*

-u : Display UDP sockets.

Example 18. Show All Processes Using Socket Connection

If you want to show all the process using sockets then you need to use ss -p command as shown below.

[root@localhost ~]# ss -p
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 18190 * 18191 users:(("master",pid=1201,fd=60))
u_str ESTAB 0 0 * 18205 * 18206 users:(("master",pid=1201,fd=75))
u_str ESTAB 0 0 * 12931 * 12932 users:(("lvmetad",pid=512,fd=2),("lvmetad",pid=512,fd=1))
u_str ESTAB 0 0 /run/dbus/system_bus_socket 18036 * 18035 users:(("dbus-daemon",pid=676,fd=16))
u_str ESTAB 0 0 * 18194 * 18193 users:(("master",pid=1201,fd=64))
u_str ESTAB 0 0 * 14731 * 1473

-p : Show process using socket.

Example 19. Do not Resolve Service Names

If you don’t want to resolve service names then you need to use ss -n command as shown below.

[root@localhost ~]# ss -n
Netid State Recv-Q Send-Q    Local Address:Port               Peer Address:Port
u_str ESTAB    0      0          * 18190                         * 18191
u_str ESTAB    0      0          * 18205                         * 18206
u_str ESTAB    0      0          * 12931                         * 12932
u_str ESTAB    0      0    /run/dbus/system_bus_socket 18036     * 18035
u_str ESTAB    0      0          * 18194                         * 18193
u_str ESTAB    0      0          * 14731                         * 14732
u_str ESTAB    0      0    /run/dbus/system_bus_socket 15072     * 15050
u_str ESTAB    0      0          * 18178                         * 18179
u_str ESTAB    0      0    /run/systemd/journal/stdout 15603     * 15602
u_str ESTAB    0      0          * 18209                         * 18208
u_str ESTAB    0      0          * 17389                         * 17390
u_str ESTAB    0      0          * 18163                         * 18164
u_str ESTAB    0      0          * 15068                         * 15069
u_str ESTAB    0      0    /run/dbus/system_bus_socket 15541     * 15540

-n : Do not try to resolve service names.

Example 20. Show Internal TCP Information Using Linux ss command

If you want to show internal TCP information then you need to use ss -i command as shown below.

[root@localhost ~]# ss -i
Netid State    Recv-Q Send-Q          Local Address:Port            Peer Address:Port
u_str ESTAB       0      0                  * 18190                     * 18191
u_str ESTAB       0      0                  * 18205                     * 18206
u_str ESTAB       0      0                  * 12931                     * 12932
u_str ESTAB       0      0     /run/dbus/system_bus_socket 18036        * 18035
u_str ESTAB       0      0                  * 18194                     * 18193
u_str ESTAB       0      0                  * 14731                     * 14732
u_str ESTAB       0      0     /run/dbus/system_bus_socket 15072        * 15050
u_str ESTAB       0      0                  * 18178                     * 18179
u_str ESTAB       0      0     /run/systemd/journal/stdout 15603        * 15602
u_str ESTAB       0      0                  * 18164                     * 18163
u_str ESTAB       0      0                  * 18179                     * 18178
u_str ESTAB       0      0                  * 18208                     * 18209
u_str ESTAB       0      0      /run/systemd/journal/stdout 17390       * 17389
u_str ESTAB       0      0                  * 18193                     * 18194
u_str ESTAB       0      0                  * 15050                     * 15072
u_str ESTAB       0      0                  * 17259                     * 17260
u_str ESTAB       0      0                  * 18212                     * 18211
u_str ESTAB       0      0                  * 18197                     * 18196
u_str ESTAB       0      0                  * 18172                     * 18173
u_str ESTAB       0      0                  * 18187                     * 18188
u_str ESTAB       0      0                  * 14441                     * 14442
tcp ESTAB 0 1232 192.168.0.101:ssh 192.168.0.102:6761
cubic wscale:8,7 rto:222 rtt:21.09/10.626 ato:40 mss:1460 rcvmss:1168 advmss:1460 cwnd:16 bytes_acked:291973 bytes_received:33116 segs_out:617 segs_in:815 send 8.9Mbps lastrcv:3 pacing_rate 17.7Mbps unacked:1 rcv_rtt:494076 rcv_space:29260

-i : Show internal TCP information.

Example 21. Display Packet Sockets Using Linux ss command

If you want to display packet sockets then you need to use ss -0 command as shown below.

[root@localhost ~]# ss -0
Netid      Recv-Q     Send-Q     Local Address:Port   Peer Address:Port
p_raw        0           0           * :enp0s3                *

-0 : Display PACKET sockets.

Example 22. Display All Established SSH Connections

If you want to display all established SSH Connections then you need to use below Linux ss command.

[root@localhost ~]# ss -o state established '( dport = :ssh or sport = :ssh )'
Netid  Recv-Q  Send-Q   Local Address:Port   Peer Address:Port
tcp      0       64      192.168.0.101:ssh   192.168.0.102:6761 timer:(on,223ms,0)

Example 23. Try to Resolve Numeric Address/Ports

If you want to try to resolve numeric address or ports then you need to use ss -r command as shown below.

[root@localhost ~]# ss -r
Netid State    Recv-Q Send-Q     Local Address:Port                  Peer Address:Port
u_str ESTAB       0      0             * 18190                          * 18191
u_str ESTAB       0      0             * 18205                          * 18206
u_str ESTAB       0      0             * 12931                          * 12932
u_str ESTAB       0      0     /run/dbus/system_bus_socket 18036        * 18035
u_str ESTAB       0      0             * 18194                          * 18193
u_str ESTAB       0      0             * 14731                          * 14732
u_str ESTAB       0      0     /run/dbus/system_bus_socket 15072        * 15050
u_str ESTAB       0      0             * 18178                          * 18179
u_str ESTAB       0      0     /run/systemd/journal/stdout 15603        * 15602
u_str ESTAB       0      0             * 18209                          * 18208
u_str ESTAB       0      0             * 17389                          * 17390
u_str ESTAB       0      0             * 18163                          * 18164
u_str ESTAB       0      0             * 15068                          * 15069
u_str ESTAB       0      0    /run/dbus/system_bus_socket 15541         * 15540
u_str ESTAB       0      0             * 18182                          * 18181
u_str ESTAB       0      0    /run/systemd/journal/stdout 17260         * 17259

-r : Try to resolve numeric address/ports.

Example 24. Display all TCP sockets with process SELinux security contexts.

If you want to display all TCP Sockets with Process SELinux Security Contexts then you need to use ss -t -a -Z command as shown below.

[root@localhost ~]# ss -t -a -Z
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:smtp *:* users:(("master",pid=1201,proc_ctx=system_u:system_r:postfix_master_t:s0,fd=13))
LISTEN 0 128 *:ssh *:* users:(("sshd",pid=959,proc_ctx=system_u:system_r:sshd_t:s0-s0:c0.c1023,fd=3))
ESTAB 0 0 192.168.0.101:ssh 192.168.0.102:6761 users:(("sshd",pid=3236,proc_ctx=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,fd=3))
LISTEN 0 100 [::1]:smtp [::]:* users:(("master",pid=1201,proc_ctx=system_u:system_r:postfix_master_t:s0,fd=14))
LISTEN 0 128 [::]:ssh [::]:* users:(("sshd",pid=959,proc_ctx=system_u:system_r:sshd_t:s0-s0:c0.c1023,fd=4))

-Z : As the -p option but also shows process security context.

Example 25. Check Other Linux SS Command options

If you want to check all the options that can be used with Linux ss command then you need to use ss --help as shown below.

[root@localhost ~]# ss --help
Usage: ss [ OPTIONS ]
ss [ OPTIONS ] [ FILTER ]
-h, --help this message
-V, --version output version information
-n, --numeric don't resolve service names
-r, --resolve resolve host names
-a, --all display all sockets
-l, --listening display listening sockets
-o, --options show timer information
-e, --extended show detailed socket information
-m, --memory show socket memory usage
-p, --processes show process using socket
-i, --info show internal TCP information
-s, --summary show socket usage summary
-b, --bpf show bpf filter socket information
-E, --events continually display sockets as they are destroyed
-Z, --context display process SELinux Linux ss command
-z, --contexts display process and socket SELinux security contexts
-N, --net switch to the specified network namespace Linux ss command

 

 

 

Popular Recommendations:-

Understanding Kafka Console Producer and Consumer in 10 Easy Steps

Popular Apache Kafka Architecture Explained Using 4 Basic Components

10 Popular Examples of sudo command in Linux(RedHat/CentOS 7/8)

9 useful w command in Linux with Examples

12 Most Popular rm command in Linux with Examples

Create a Self Signed Certificate using OpenSSL

Top 12 Nmap Commands to Scan Remote Host with Best Practices

Leave a Comment