ss command in Linux

1. ss command

The ss command gives the socket statistics. It gives information about the network connections. ss is a replacement for the netstat command.

By default, the ss command gives information about non-listening sockets.

$ ss
Netid  State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port
u_str  ESTAB      0      0                    * 4482                  * 4481
u_str  ESTAB      0      0                    * 4285                  * 3631
...
tcp    FIN-WAIT-2 0      0            127.0.0.1:http-alt       127.0.0.1:35087
tcp    ESTAB      0      36           198.51.100.16:ssh        203.0.113.168:52412  
tcp    CLOSE-WAIT 1      0            127.0.0.1:35087          127.0.0.1:http-alt  

In the first column, netid, is a combination of socket type and the transport protocol. The netid, u_str stands for unix_stream. Similarly, netid's u_dgr stands for UNIX datagram sockets, nl for netlink and p_raw and p_dgr stand for raw and datagram packet sockets. And, of course, there are the tcp and udp sockets.

The second column is the socket state. The next two columns, Recv-Q and the Send-Q, give the data queued for receive and transmit. The next column gives the local address and port for the socket. The last column gives the peer address and port, if the socket is connected.

2. ss -a, ss -l

By default, only non-listening sockets are displayed. ss -a displays all the sockets, whereas, ss -l (ell) displays the listening sockets only.

$ ss -a
Netid  State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port
nl     UNCONN     0      0                 rtnl:ntpd/3621                *
nl     UNCONN     0      0                 rtnl:kernel                 *
...
p_raw  UNCONN     0      0                    *:eth0                   *
u_dgr  UNCONN     0      0      /var/spool/postfix/dev/log 3604                  * 0  
u_dgr  UNCONN     0      0             /dev/log 3602                  * 0
u_str  LISTEN     0      100      public/pickup 4043                  * 0
u_str  LISTEN     0      100     public/cleanup 4047                  * 0
...
tcp    UNCONN     0      0                    *:ipproto-68               *:*
tcp    UNCONN     0      0          198.51.100.16:ipproto-123               *:*
tcp    LISTEN     0      128                  *:http                  *:*
tcp    LISTEN     0      128          127.0.0.1:http-alt               *:*
...

3. ss -n

The -n option prevents resolution of service names and prints the numeric values of the ports. For example,

$ ss -t
State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port     
ESTAB      0      0         192.168.1.36:46192     198.51.100.16:https     
CLOSE-WAIT 1      0         192.168.1.36:38385        192.0.2.59:http      
ESTAB      0      0         192.168.1.36:59197    203.0.113.168:imaps     
ESTAB      0      0         192.168.1.36:37799     198.51.100.24:https     
ESTAB      0      0         192.168.1.36:59194    203.0.113.168:imaps     
ESTAB      0      0         192.168.1.36:39818    198.51.100.128:https     
ESTAB      0      0         192.168.1.36:60085      203.0.113.67:9999      
CLOSE-WAIT 1      0                  ::1:59430               ::1:ipp       
$ ss -t -n
State      Recv-Q Send-Q     Local Address:Port       Peer Address:Port   
ESTAB      0      0           192.168.1.36:46192     198.51.100.16:443     
CLOSE-WAIT 1      0           192.168.1.36:38385        192.0.2.59:80      
ESTAB      0      0           192.168.1.36:59197    203.0.113.168:993     
ESTAB      0      0           192.168.1.36:37799     198.51.100.24:443     
ESTAB      0      0           192.168.1.36:59194    203.0.113.168:993     
ESTAB      0      0           192.168.1.36:39818    198.51.100.128:443     
ESTAB      0      0           192.168.1.36:60085      203.0.113.67:9999    
CLOSE-WAIT 1      0                    ::1:59430               ::1:631     

4. ss -p

The -p option displays the process name and id for the process using the socket.

$ ss -t -p 
State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port
ESTAB      0      0         192.168.1.36:38868    198.51.100.16:https   users:(("chrome",2489,80))
ESTAB      0      0         192.168.1.36:33330    203.0.113.168:imaps   users:(("thunderbird",2375,33))
ESTAB      0      0         192.168.1.36:33333    203.0.113.168:imaps   users:(("thunderbird",2375,39))
CLOSE-WAIT 1      0         192.168.1.36:40497       192.0.2.59:http    users:(("ubuntu-geoip-pr",2296,9))
ESTAB      0      0         192.168.1.36:54583    198.51.100.24:ssh     users:(("ssh",2784,3))
ESTAB      0      0         192.168.1.36:42834    198.51.100.36:https   users:(("chrome",2489,81))
CLOSE-WAIT 1      0                  ::1:37075              ::1:ipp

5. Socket statistics for a protocol

There are two ways to select sockets for a protocol. There is the -f family option, where the family can be unix, inet, inet6, link or netlink. Alternatively, there is -4 option for IPV4 (-f inet), -6 option for IPV6 (-f inet6), -0 for packet sockets (-f link), -t for TCP sockets, -u for UDP sockets, -d for DCCP sockets, -w for raw sockets and -x for UNIX domain sockets (-f unix). For example,

$ ss -t -a
State      Recv-Q Send-Q      Local Address:Port          Peer Address:Port
LISTEN     0      128             127.0.0.1:ipp                      *:*
LISTEN     0      5               127.0.1.1:domain                   *:*
ESTAB      0      0            192.168.1.36:33330       178.79.180.132:imaps
...
CLOSE-WAIT 1      0                     ::1:37075                  ::1:ipp
CLOSE-WAIT 1      0                     ::1:38695                  ::1:ipp
$ ss -u -a
State      Recv-Q Send-Q      Local Address:Port          Peer Address:Port
UNCONN     0      0            192.168.1.36:59805                    *:*
UNCONN     0      0            192.168.1.36:33185                    *:*
...
UNCONN     0      0                      :::57046                   :::*
$ ss -6 -a
Netid  State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port
nl     UNCONN     0      0                 rtnl:kernel                 *
nl     UNCONN     0      0                 rtnl:mission-control/2328                *  
...
tcp    CLOSE-WAIT 1      0                  ::1:37075               ::1:ipp
tcp    CLOSE-WAIT 1      0                  ::1:38695               ::1:ipp
$ ss -f inet6 -a
Netid  State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port
nl     UNCONN     0      0                 rtnl:kernel                 *
nl     UNCONN     0      0                 rtnl:mission-control/2328                *  
...
tcp    CLOSE-WAIT 1      0                  ::1:37075               ::1:ipp
tcp    CLOSE-WAIT 1      0                  ::1:38695               ::1:ipp

6. ss -o

The -o option gives the timers associated with the sockets, if there are any. For example,

$ ss -a -o
Netid  State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port
nl     UNCONN     0      0                 rtnl:ntpd/3621                *
nl     UNCONN     0      0                 rtnl:kernel                 *
...
tcp    LISTEN     0      50           127.0.0.1:mysql                 *:*
tcp    ESTAB      0      72        198.51.100.1:ssh          192.0.2.59:56741    timer:(on,314ms,0)
tcp    CLOSE-WAIT 1      0            127.0.0.1:35413         127.0.0.1:http-alt
...

7. Summary

The ss -s command gives the summary of socket statistics for the system.

$ ss -s
Total: 863 (kernel 0)
TCP:   15 (estab 9, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0  

Transport Total     IP        IPv6
*	  0         -         -        
RAW	  0         0         0        
UDP	  74        71        3        
TCP	  15        12        3        
INET	  89        83        6        
FRAG	  0         0         0        

8. Filters

The ss command syntax is,

ss  [OPTIONS]   [FILTER]

where,

FILTER := [ state TCP-STATE ]  [ EXPRESSION ]

A filter is a snippet to select or discard sockets from the command output based on certain conditions.

8.1 Filtering by state

A state filter selects or discards sockets from the command output based on keywords state or exclude followed by a state identifier. The TCP state identifiers are,

  • established
  • syn-sent
  • syn-recv
  • fin-wait-1
  • fin-wait-2
  • time-wait
  • closed
  • close-wait
  • last-ack
  • listen
  • closing

And, there are the abbreviations,

  • all, for all states
  • connected, for all states except for listen and closed
  • synchronized, for all the connected states except for syn-sent
  • bucket states, which are maintained as minisockets, that is, time-wait and syn-recv
  • big, which is the opposite of bucket

For example, to print all the connected sockets,

$ ss state connected
Netid  State      Recv-Q Send-Q   Local Address:Port       Peer Address:Port
u_dgr  ESTAB      0      0               @0002c 18112                 * 18113
u_str  ESTAB      0      0                    * 18148                 * 16144
...
tcp    CLOSE-WAIT 1      0         192.168.1.36:48124        192.0.2.59:http
tcp    ESTAB      0      0         192.168.1.36:46029     198.51.100.24:https
tcp    ESTAB      0      0         192.168.1.36:37484     203.0.113.168:imaps
tcp    ESTAB      0      0         192.168.1.36:51018     198.51.100.24:https
tcp    ESTAB      0      0         192.168.1.36:44280      203.0.113.67:9999
tcp    ESTAB      0      0         192.168.1.36:37489     203.0.113.168:imaps
tcp    CLOSE-WAIT 1      0                  ::1:57958               ::1:ipp