ss

Show all TCP/UDP/RAW/UNIX sockets

$ ss [[-a|--all]] [-t|-u|-w|-x]

$ ss [state|exclude] [bucket|big|connected|synchronized|...]

$ ss [[-t|--tcp]] src :[443]

$ ss [[-lt|--listening --tcp]] src :[8080]

$ ss [[-pt|--processes --tcp]] dst :[ssh]

$ ss [[-u|--udp]] 'sport == :[source_port] and dport == :[destination_port]'

$ ss [[-4t|--ipv4 --tcp]] src [192.168/16]

$ ss [[-K|--kill]] dst [192.168.1.17] dport = [8080]

ss [OPTIONS] [STATE-FILTER] [ADDRESS-FILTER]

-h, --help
    Displays a help message and exits.

-V, --version
    Prints version information and exits.

-n, --numeric
    Do not resolve service names. Display port numbers instead of service names.

-a, --all
    Display all sockets (default: only connected sockets).

-l, --listening
    Display only listening sockets.

-p, --processes
    Show process using socket. Requires root privileges for most processes.

-t, --tcp
    Display TCP sockets.

-u, --udp
    Display UDP sockets.

-x, --unix
    Display Unix domain sockets.

-s, --summary
    Display summary statistics.

-e, --extended
    Show extended socket information (UID, GID, SECLABEL).

-o, --options
    Show timer information.

-m, --memory
    Show socket memory usage.

-i, --info
    Show internal TCP information (e.g., RTT, retransmits).

-r, --resolve
    Resolve numeric host addresses and port numbers to their symbolic names.

-4, --ipv4
    Display only IPv4 sockets.

-6, --ipv6
    Display only IPv6 sockets.

-K, --kill
    Attempts to forcibly close sockets. Use with extreme caution! Requires root privileges.

The ss command is a powerful and highly efficient utility for examining network sockets on Linux. It serves as a modern and faster replacement for the traditional netstat command, leveraging the Netlink socket interface in the kernel for superior performance and more detailed information retrieval. ss can display a wealth of information about open sockets, including TCP, UDP, RAW, and Unix domain sockets, along with their states (e.g., ESTABLISHED, LISTEN, TIME-WAIT), associated processes, and various connection details like send/receive queues, timer information, and memory usage. Its design allows it to quickly query kernel space for socket information, making it particularly useful on systems with a large number of connections. Administrators and developers use ss for network troubleshooting, performance monitoring, and security auditing, providing insights into active network connections and listening services.

Some options, such as displaying process information (-p) or forcefully closing sockets (-K), require root privileges to function correctly. Without appropriate permissions, ss may not show all details or may fail to execute certain actions. While more efficient than netstat, its output can be dense and requires familiarity with networking concepts for full interpretation.

The ss command supports powerful filtering capabilities to narrow down the output. You can filter by state (e.g., ss -t state established), source/destination address and port (e.g., ss -t dst 192.168.1.1:80), or by user/group. This allows for highly specific queries to quickly find relevant connection information.

Typical output columns include Netid (protocol), State (connection state), Recv-Q (bytes received but not yet read), Send-Q (bytes sent but not yet acknowledged), Local Address:Port, and Peer Address:Port. Understanding these fields is crucial for effective network diagnostics.

The ss command is part of the iproute2 utility suite, which was developed to provide a more robust and efficient set of networking tools for Linux. Unlike older utilities like netstat that parse pseudo-files in /proc/net, ss directly queries the kernel's Netlink socket interface. This design choice grants ss significant performance advantages, especially on systems with a large number of active network connections, and allows it to retrieve more detailed and up-to-date information directly from the kernel. Its development reflects the Linux kernel's evolution towards more modern and efficient interfaces for network management.

netstat(8), ip(8), lsof(8)