ss Socket Statistics

ss cheatsheet — socket statistics, the modern netstat. ss -tulpn (listening ports), ss -an (all connections), ss -tp (TCP with PIDs). Faster and more detailed than netstat.

5 min read

What it is

ss is a command-line utility used to display information about network sockets, providing a faster and more feature-rich alternative to netstat.

Installation

Linux

ss is typically pre-installed on most modern Linux distributions. If not, it’s usually part of the iproute2 package:

sudo apt update && sudo apt install iproute2  # Debian/Ubuntu
sudo yum install iproute2                   # CentOS/RHEL
sudo dnf install iproute2                   # Fedora

macOS

ss is not natively available on macOS. You can install it via Homebrew:

brew install iproute2mac

Note: iproute2mac aims to provide ss functionality but might have some differences compared to the Linux version.

Windows

ss is not natively available on Windows. You can use tools like netstat or PowerShell cmdlets (Get-NetTCPConnection) for similar functionality. For a Linux-like experience, consider using the Windows Subsystem for Linux (WSL).

Core Concepts

Sockets: Endpoints for network communication. Each socket is defined by a protocol (TCP, UDP, etc.) and a combination of local and remote IP addresses and port numbers.
States: Sockets can be in various states, especially for TCP connections (e.g., LISTEN, ESTABLISHED, CLOSE-WAIT). ss displays these states.
Filters: ss uses powerful filtering capabilities to narrow down the displayed socket information based on various criteria like state, port, address, and process.

Commands / Usage

Displaying All Sockets

Show all TCP sockets:
```
ss -t
```
Displays a list of all TCP sockets.
Show all UDP sockets:
```
ss -u
```
Displays a list of all UDP sockets.
Show all raw sockets:
```
ss -w
```
Displays a list of all raw sockets.
Show all listening sockets:
```
ss -l
```
Displays sockets that are in a listening state.
Show all sockets (TCP, UDP, raw, UNIX):
```
ss -a
```
Displays all types of sockets.

Filtering Sockets

Show TCP sockets in ESTABLISHED state:
```
ss -t state established
```
Filters TCP sockets to only show those that are actively connected.
Show TCP sockets in LISTEN state:
```
ss -t state listening
```
Filters TCP sockets to only show those waiting for incoming connections.
Show UDP sockets:
```
ss -u
```
Displays all UDP sockets.
Show sockets on a specific port (e.g., port 80):
```
ss -t sport = :80
```
Shows TCP sockets using local port 80.
```
ss -t dport = :80
```
Shows TCP sockets using remote port 80.
Show sockets connected to a specific IP address (e.g., 192.168.1.100):
```
ss -t dst 192.168.1.100
```
Shows TCP sockets where the destination IP is 192.168.1.100.
Show sockets related to a process (using PID 1234):
```
ss -tp pid 1234
```
Shows TCP sockets associated with process ID 1234, including process information.
Show sockets on a specific network interface (e.g., eth0):
```
ss -ti 'src eth0'
```
Shows TCP sockets originating from the eth0 interface.

Displaying More Information

Show process information for sockets:
```
ss -p
```
Appends the process name and PID to each socket entry.
Show extended socket information:
```
ss -e
```
Displays more detailed information, such as user and inode.
Show timer information for sockets:
```
ss -o
```
Shows timer information, like retransmission timeouts.
Show TCP connection details (RTT, congestion control):
```
ss -i
```
Displays TCP internal information for established connections.
Show numeric addresses and ports (don’t resolve hostnames/service names):
```
ss -n
```
Faster and avoids DNS lookups.

Combining Options

Show all established TCP connections with process info:
```
ss -tp state established
```
Useful for seeing which processes are actively communicating.
Show all listening TCP sockets on port 22 with numeric output:
```
ss -ltn 'sport = :22'
```
Quickly identifies SSH servers.
Show all UDP sockets with process info:
```
ss -up
```
Helps identify which processes are using UDP.

UNIX Domain Sockets

Show all UNIX domain sockets:
```
ss -x
```
Show listening UNIX domain sockets:
```
ss -lx
```

Common Patterns

Find which process is listening on a port (e.g., 8080):
```
sudo ss -ltnp 'sport = :8080'
```
Use sudo as process information might be restricted.
Check for established connections to a specific external IP:
```
ss -tn state established dst 1.2.3.4
```
List all outgoing connections from your machine:
```
ss -tn state established src $(hostname -I | awk '{print $1}')
```
(This assumes your primary IP is the first one listed by hostname -I)
Find sockets using a lot of memory (requires -e and potentially sudo):
```
sudo ss -tae | sort -k 7 -n -r | head
```
Sorts by the size column (usually the 7th) in reverse numeric order to show the largest sockets first.
Monitor network activity for a specific port (e.g., 443) in real-time:
```
watch -n 1 "ss -tn state established 'dport = :443' || ss -tn state established 'sport = :443'"
```
This command refreshes every second and shows established TCP connections to or from port 443.

Gotchas

Permissions: To see process information (-p) for sockets owned by other users or the system, you often need sudo.
Output Format: The output columns can vary slightly depending on the ss version and kernel. The order might not always be consistent.
Filtering Syntax: The filter syntax can be powerful but also complex. Pay attention to spaces, quotes, and the exact keywords (state, sport, dport, src, dst, pid).
iproute2mac Differences: If using ss on macOS via iproute2mac, be aware that some options or the exact output format might differ from the Linux ss.
Large Output: On busy systems, ss -a can produce a very large amount of output. Use filters aggressively.
ss vs netstat: While ss is generally faster, especially on systems with many connections, some users might be more familiar with netstat’s output format. ss aims to provide similar information but with a different presentation.