Monitoring network connection using ss command

A very useful tool in administering a Linux network is the ss command. You can identify socket statistics with this command. The ss command is very similar to the netstat command. However, you can gain more useful information about TCP and state information with the ss command.
The ss command is fast. Information is very fast when you are searching. The netstat command can seem very slow in comparison to this tool. If you need to track sockets and TCP connections, the ss command can help you. ss command can provide information about:

• All TCP sockets.
• All UDP sockets.
• All established ssh / ftp / http / https connections.
• All local processes connected to X server.
• Filtering by state (such as connected, synchronized, SYN-RECV, SYN-SENT,TIME-WAIT), addresses and ports.
• All the tcp sockets in state FIN-WAIT-1 and much more.

In this article explain how to use ss command on linux system.

Example usage ss command

The syntax of ss command is :

# ss [ OPTIONS ]

or

# ss [ OPTIONS ] [ FILTER ]

1. List all connection

Type following command to list out all connections:

# ss | more

Example output:

rasho@Gandalf ~ $ ss |more
Netid  State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port
u_str  ESTAB      0      0                    * 219827                * 220601
u_str  ESTAB      0      0      @/tmp/.X11-unix/X0 223495                * 223494
u_str  ESTAB      0      0                    * 220663                * 220044
u_str  ESTAB      0      0      @/tmp/.X11-unix/X0 220453                * 219708
u_str  ESTAB      0      0      @/tmp/dbus-elWbPTCWlq 223497                * 223496
............................
tcp    ESTAB      0      0          192.168.1.2:33643     68.232.35.139:https
tcp    ESTAB      0      0          192.168.1.2:56529     54.236.180.90:9999
tcp    ESTAB      0      0          192.168.1.2:45982      31.13.81.128:https
tcp    ESTAB      0      0          192.168.1.2:50923     173.194.70.84:https
tcp    ESTAB      0      0          192.168.1.2:39490      23.63.85.109:http
tcp    ESTAB      0      0          192.168.1.2:42899     79.101.110.89:https

2. List all TCP, UDP and Unix connection

List all TCP connection

To list all TCP connection use -t option:

# ss -t

Note: By default the “-t” options report only “ESTABLISHED” or “CONNECTED” connections. If use the “-ta” option report show all TCP connections (connected and listening).

List all UDP connection

To list all UDP connection use -u option:

# ss -ua

[ads]
Note:The “-ua” option tells ss to report both “CONNECTED” and “LISTENING” sockets.

List all Unix connection

To list all UDP connection use -x option:

# ss -x

3. Sumary statistics report

To print sumary statistics use “-s” option:

# ss -s

4. Display all open network ports

To display all open network ports, do ss -l as shown below.

# ss -l

5. Display only IPv4 or IPv6 socket connections

To display only IPv4 socket connections use the ‘-f inet‘ or ‘-4‘ option.

# ss -tl -f inet

or

# ss -tl -4

Example output:

# ss -tl -f inet
State      Recv-Q Send-Q      Local Address:Port          Peer Address:Port
LISTEN     0      50                      *:microsoft-ds                  *:*
LISTEN     0      50                      *:netbios-ssn                  *:*
LISTEN     0      5               127.0.1.1:domain                   *:*
LISTEN     0      128                     *:ssh                      *:*
LISTEN     0      128             127.0.0.1:ipp                      *:*

To display only IPv6 socket connections use the ‘-f inet6‘ or ‘-6‘ option.

# ss -tl -f inet6

or

# ss -tl -6

Example output:

# ss -tl -6
State      Recv-Q Send-Q      Local Address:Port          Peer Address:Port
LISTEN     0      50                     :::microsoft-ds                 :::*
LISTEN     0      50                     :::netbios-ssn                 :::*
LISTEN     0      128                    :::ssh                     :::*
LISTEN     0      128                   ::1:ipp                     :::*

6. Do not resolve hostname

Use the “-n” option if you wish prevent ss command to resolving ip addresses to hostnames.

# ss -tn

7. Show timer information

To display timer information use the ‘-o‘ option:

# ss -tn -o

8. Filter connections using TCP states

The syntax is as follows:

## tcp ipv4 ##
ss -4 state FILTER-NAME-HERE

## tcp ipv6 ##
ss -6 state FILTER-NAME-HERE

Where FILTER-NAME-HERE can be any one of the following,

• established
• syn-sent
• syn-recv
• fin-wait-1
• fin-wait-2
• time-wait
• closed
• close-wait
• last-ack
• listen
• closing
• all : All of the above states
• connected : All the states except for listen and closed
• synchronized : All the connected states except for syn-sent
• bucket : Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
• big : Opposite to bucket state.

That’s is all! For more information about ss command see man page:

# man ss