Pages

ss: Display Linux TCP / UDP Network and Socket Information


The ss command is used to dump socket statistics. It allows showing information similar to netstat command. It can display more TCP and state information than other tools. It is a new, incredibly useful and faster (as compare to netstat) tool for tracking TCP connections and sockets. SS can provide information about:

  • All TCP sockets.
  • All UDP sockets.
  • All established ssh / ftp / http / https connections.
  • All local processes connected to X server.
  • All the tcp sockets in state FIN-WAIT-1 and much more.


Most Linux distributions are shipped with ss and many monitoring tools. Being familiar with this tool helps enhance your understand of what's going on in the system sockets and helps you find the possible causes of a performance problem.

Task: Display Sockets Summary

List currently established, closed, orphaned and waiting TCP sockets, enter:
# ss -s
Sample Output:

Total: 734 (kernel 904)
TCP:   1415 (estab 112, closed 1259, orphaned 11, synrecv 0, timewait 1258/0), ports 566


Transport Total     IP        IPv6
*         904       -         -
RAW       0         0         0
UDP       15        12        3
TCP       156       134       22
INET      171       146       25
FRAG      0         0         0 

Task: Display All Open Network Ports

# ss -l
Sample Output:
ss -l
Recv-Q Send-Q                                                  Local Address:Port                                                      Peer Address:Port
0      0                                                           127.0.0.1:smux                                                                 *:*
0      0                                                           127.0.0.1:10024                                                                *:*
0      0                                                           127.0.0.1:10025                                                                *:*
0      0                                                                   *:3306                                                                 *:*
0      0                                                                   *:http                                                                 *:*
0      0                                                                   *:4949                                                                 *:*
0      0                                                                   *:domain                                                               *:*
0      0                                                                   *:ssh                                                                  *:*
0      0                                                                   *:smtp                                                                 *:*
0      0                                                           127.0.0.1:rndc                                                                 *:*
0      0                                                           127.0.0.1:6010                                                                 *:*
0      0                                                                *:https                                                                *:*
0      0                                                                  :::34571                                                               :::*
0      0                                                                  :::34572                                                               :::*
0      0                                                                  :::34573                                                               :::*
0      0                                                                 ::1:rndc                                                                :::*  
   
Type the following to see process named using open socket:
# ss -pl
Find out who is responsible for opening socket / port # 4949:
# ss -lp | grep 4949
Sample output:

0      0                            *:4949                          *:*        users:(("munin-node",3772,5))

munin-node (PID # 3772) is responsible for opening port # 4949. You can get more information about this process (like memory used, users, current working directory and so on) visiting /proc/3772 directory:
# cd /proc/3772
# ls –l

Task: Display All TCP Sockets
# ss -t –a

Task: Display All UDP Sockets
# ss -u –a

Task: Display All Established SMTP Connections
# ss -o state established '( dport = :smtp or sport = :smtp )'

Task: Display All Established HTTP Connections
# ss -o state established '( dport = :http or sport = :http )'

Task: Find All Local Processes Connected To X Server
# ss -x src /tmp/.X11-unix/*

Task: List All The Tcp Sockets in State FIN-WAIT-1
List all the TCP sockets in state -FIN-WAIT-1 for our httpd to network 202.54.1/24 and look at their timers:
# ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 202.54.1/24