ss command in Linux

1. ss command

The ss command gives the socket statistics. It gives information about the network connections. ss is a replacement for the netstat command.

By default, the ss command gives information about non-listening sockets.

$ ss Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_str ESTAB 0 0 * 4482 * 4481 u_str ESTAB 0 0 * 4285 * 3631 ... tcp FIN-WAIT-2 0 0 127.0.0.1:http-alt 127.0.0.1:35087 tcp ESTAB 0 36 198.51.100.16:ssh 203.0.113.168:52412 tcp CLOSE-WAIT 1 0 127.0.0.1:35087 127.0.0.1:http-alt

In the first column, netid, is a combination of socket type and the transport protocol. The netid, u_str stands for unix_stream. Similarly, netid's u_dgr stands for UNIX datagram sockets, nl for netlink and p_raw and p_dgr stand for raw and datagram packet sockets. And, of course, there are the tcp and udp sockets.

The second column is the socket state. The next two columns, Recv-Q and the Send-Q, give the data queued for receive and transmit. The next column gives the local address and port for the socket. The last column gives the peer address and port, if the socket is connected.

2. ss -a, ss -l

By default, only non-listening sockets are displayed. ss -a displays all the sockets, whereas, ss -l (ell) displays the listening sockets only.

$ ss -a Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port nl UNCONN 0 0 rtnl:ntpd/3621 * nl UNCONN 0 0 rtnl:kernel * ... p_raw UNCONN 0 0 *:eth0 * u_dgr UNCONN 0 0 /var/spool/postfix/dev/log 3604 * 0 u_dgr UNCONN 0 0 /dev/log 3602 * 0 u_str LISTEN 0 100 public/pickup 4043 * 0 u_str LISTEN 0 100 public/cleanup 4047 * 0 ... tcp UNCONN 0 0 *:ipproto-68 *:* tcp UNCONN 0 0 198.51.100.16:ipproto-123 *:* tcp LISTEN 0 128 *:http *:* tcp LISTEN 0 128 127.0.0.1:http-alt *:* ...

3. ss -n

The -n option prevents resolution of service names and prints the numeric values of the ports. For example,

$ ss -t State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.1.36:46192 198.51.100.16:https CLOSE-WAIT 1 0 192.168.1.36:38385 192.0.2.59:http ESTAB 0 0 192.168.1.36:59197 203.0.113.168:imaps ESTAB 0 0 192.168.1.36:37799 198.51.100.24:https ESTAB 0 0 192.168.1.36:59194 203.0.113.168:imaps ESTAB 0 0 192.168.1.36:39818 198.51.100.128:https ESTAB 0 0 192.168.1.36:60085 203.0.113.67:9999 CLOSE-WAIT 1 0 ::1:59430 ::1:ipp $ ss -t -n State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.1.36:46192 198.51.100.16:443 CLOSE-WAIT 1 0 192.168.1.36:38385 192.0.2.59:80 ESTAB 0 0 192.168.1.36:59197 203.0.113.168:993 ESTAB 0 0 192.168.1.36:37799 198.51.100.24:443 ESTAB 0 0 192.168.1.36:59194 203.0.113.168:993 ESTAB 0 0 192.168.1.36:39818 198.51.100.128:443 ESTAB 0 0 192.168.1.36:60085 203.0.113.67:9999 CLOSE-WAIT 1 0 ::1:59430 ::1:631

4. ss -p

The -p option displays the process name and id for the process using the socket.

$ ss -t -p State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.1.36:38868 198.51.100.16:https users:(("chrome",2489,80)) ESTAB 0 0 192.168.1.36:33330 203.0.113.168:imaps users:(("thunderbird",2375,33)) ESTAB 0 0 192.168.1.36:33333 203.0.113.168:imaps users:(("thunderbird",2375,39)) CLOSE-WAIT 1 0 192.168.1.36:40497 192.0.2.59:http users:(("ubuntu-geoip-pr",2296,9)) ESTAB 0 0 192.168.1.36:54583 198.51.100.24:ssh users:(("ssh",2784,3)) ESTAB 0 0 192.168.1.36:42834 198.51.100.36:https users:(("chrome",2489,81)) CLOSE-WAIT 1 0 ::1:37075 ::1:ipp

5. Socket statistics for a protocol

There are two ways to select sockets for a protocol. There is the -f family option, where the family can be unix, inet, inet6, link or netlink. Alternatively, there is -4 option for IPV4 (-f inet), -6 option for IPV6 (-f inet6), -0 for packet sockets (-f link), -t for TCP sockets, -u for UDP sockets, -d for DCCP sockets, -w for raw sockets and -x for UNIX domain sockets (-f unix). For example,

$ ss -t -a State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:ipp *:* LISTEN 0 5 127.0.1.1:domain *:* ESTAB 0 0 192.168.1.36:33330 178.79.180.132:imaps ... CLOSE-WAIT 1 0 ::1:37075 ::1:ipp CLOSE-WAIT 1 0 ::1:38695 ::1:ipp $ ss -u -a State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 192.168.1.36:59805 *:* UNCONN 0 0 192.168.1.36:33185 *:* ... UNCONN 0 0 :::57046 :::* $ ss -6 -a Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port nl UNCONN 0 0 rtnl:kernel * nl UNCONN 0 0 rtnl:mission-control/2328 * ... tcp CLOSE-WAIT 1 0 ::1:37075 ::1:ipp tcp CLOSE-WAIT 1 0 ::1:38695 ::1:ipp $ ss -f inet6 -a Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port nl UNCONN 0 0 rtnl:kernel * nl UNCONN 0 0 rtnl:mission-control/2328 * ... tcp CLOSE-WAIT 1 0 ::1:37075 ::1:ipp tcp CLOSE-WAIT 1 0 ::1:38695 ::1:ipp

6. ss -o

The -o option gives the timers associated with the sockets, if there are any. For example,

$ ss -a -o Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port nl UNCONN 0 0 rtnl:ntpd/3621 * nl UNCONN 0 0 rtnl:kernel * ... tcp LISTEN 0 50 127.0.0.1:mysql *:* tcp ESTAB 0 72 198.51.100.1:ssh 192.0.2.59:56741 timer:(on,314ms,0) tcp CLOSE-WAIT 1 0 127.0.0.1:35413 127.0.0.1:http-alt ...

7. Summary

The ss -s command gives the summary of socket statistics for the system.

$ ss -s Total: 863 (kernel 0) TCP: 15 (estab 9, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0 Transport Total IP IPv6 * 0 - - RAW 0 0 0 UDP 74 71 3 TCP 15 12 3 INET 89 83 6 FRAG 0 0 0

8. Filters

The ss command syntax is,

ss [OPTIONS] [FILTER] where, FILTER := [ state TCP-STATE ] [ EXPRESSION ]

A filter is a snippet to select or discard sockets from the command output based on certain conditions.

8.1 Filtering by state

A state filter selects or discards sockets from the command output based on keywords state or exclude followed by a state identifier. The TCP state identifiers are,

  • established
  • syn-sent
  • syn-recv
  • fin-wait-1
  • fin-wait-2
  • time-wait
  • closed
  • close-wait
  • last-ack
  • listen
  • closing

And, there are the abbreviations,

  • all, for all states
  • connected, for all states except for listen and closed
  • synchronized, for all the connected states except for syn-sent
  • bucket states, which are maintained as minisockets, that is, time-wait and syn-recv
  • big, which is the opposite of bucket

For example, to print all the connected sockets,

$ ss state connected Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_dgr ESTAB 0 0 @0002c 18112 * 18113 u_str ESTAB 0 0 * 18148 * 16144 ... tcp CLOSE-WAIT 1 0 192.168.1.36:48124 192.0.2.59:http tcp ESTAB 0 0 192.168.1.36:46029 198.51.100.24:https tcp ESTAB 0 0 192.168.1.36:37484 203.0.113.168:imaps tcp ESTAB 0 0 192.168.1.36:51018 198.51.100.24:https tcp ESTAB 0 0 192.168.1.36:44280 203.0.113.67:9999 tcp ESTAB 0 0 192.168.1.36:37489 203.0.113.168:imaps tcp CLOSE-WAIT 1 0 ::1:57958 ::1:ipp

Software: