Allgemein

ss Command in Linux: Display Socket Statistics

Von [email protected] Loading...
ss Command in Linux: Display Socket Statistics

ss is a command-line utility for displaying socket statistics on Linux. It is the modern replacement for the deprecated netstat command and is faster, more detailed, and available by default on all current Linux distributions.

This guide explains how to use ss to list open sockets, filter results by protocol and port, and identify which process is using a given connection.

ss Syntax

txt
ss [OPTIONS] [FILTER]

When invoked without options, ss displays all non-listening sockets that have an established connection.

List All Sockets

To list all sockets regardless of state, use the -a option:


Terminal
ss -a

The output includes columns for the socket type (Netid), state, receive and send queue sizes, local address and port, and peer address and port:

output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:ssh 192.168.1.5:52710
tcp LISTEN 0 128 0.0.0.0:http 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:*

Filter by Socket Type

TCP Sockets (-t)

To list only TCP sockets:


Terminal
ss -t

To include listening TCP sockets as well, combine with -a:


Terminal
ss -ta

UDP Sockets (-u)

To list only UDP sockets:


Terminal
ss -ua

Unix Domain Sockets (-x)

To list Unix domain sockets used for inter-process communication:


Terminal
ss -xa

Show Listening Sockets

The -l option shows only sockets that are in the listening state:


Terminal
ss -tl

The most commonly used combination is -tulpn, which shows all TCP and UDP listening sockets with process names and numeric addresses:


Terminal
ss -tulpn

output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=5678,fd=6))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=910,fd=6))

Each option in the combination does the following:

  • -t — show TCP sockets
  • -u — show UDP sockets
  • -l — show listening sockets only
  • -p — show the process name and PID
  • -n — show numeric addresses and ports instead of resolving hostnames and service names

Show Process Information

The -p option adds the process name and PID to the output. This requires root privileges to see processes owned by other users:


Terminal
sudo ss -tp

output
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 192.168.1.10:ssh 192.168.1.5:52710 users:(("sshd",pid=2341,fd=5))

Use Numeric Output

By default, ss resolves port numbers to service names (for example, port 22 becomes ssh). The -n option disables this and shows raw port numbers:


Terminal
ss -tn

This is useful when you need to match exact port numbers in scripts or when name resolution is slow.

Filter by Port

To find which process is using a specific port, filter by destination or source port. For example, to list all sockets using port 80:


Terminal
ss -tulpn | grep :80

You can also use the built-in filter syntax:


Terminal
ss -tnp 'dport = :443'

To filter by source port:


Terminal
ss -tnp 'sport = :22'

Filter by Connection State

ss supports filtering by connection state. Common states include ESTABLISHED, LISTEN, TIME-WAIT, and CLOSE-WAIT.

To show only established TCP connections:


Terminal
ss -tn state ESTABLISHED

To show only sockets in the TIME-WAIT state:


Terminal
ss -tn state TIME-WAIT

Filter by Address

To show sockets connected to or from a specific IP address:


Terminal
ss -tn dst 192.168.1.5

To filter by source address:


Terminal
ss -tn src 192.168.1.10

You can combine address and port filters:


Terminal
ss -tnp dst 192.168.1.5 dport = :22

Show IPv4 or IPv6 Only

To restrict output to IPv4 sockets, use -4:


Terminal
ss -tln -4

To show only IPv6 sockets, use -6:


Terminal
ss -tln -6

Show Summary Statistics

The -s option prints a summary of socket counts by type and state without listing individual sockets:


Terminal
ss -s

output
Total: 312
TCP: 14 (estab 4, closed 3, orphaned 0, timewait 3)
Transport Total IP IPv6
RAW 1 0 1
UDP 6 4 2
TCP 11 7 4
INET 18 11 7
FRAG 0 0 0

This is useful for a quick overview of the network state on a busy server.

Practical Examples

The following examples cover common diagnostics you will use together with tools like ip
, ifconfig
, and check listening ports
.

Find which process is listening on port 8080:


Terminal
sudo ss -tlpn sport = :8080

List all established SSH connections to your server:


Terminal
ss -tn state ESTABLISHED '( dport = :22 or sport = :22 )'

Show all connections to a remote host:


Terminal
ss -tn dst 203.0.113.10

Count established TCP connections:


Terminal
ss -tn state ESTABLISHED | tail -n +2 | wc -l

Quick Reference

Command Description
ss -a List all sockets
ss -t List TCP sockets
ss -u List UDP sockets
ss -x List Unix domain sockets
ss -l Show listening sockets only
ss -tulpn Listening TCP/UDP with process and numeric output
ss -tp TCP sockets with process names
ss -tn TCP sockets with numeric addresses
ss -s Show socket summary statistics
ss -tn state ESTABLISHED Show established TCP connections
ss -tnp dport = :80 Filter by destination port
ss -tn dst 192.168.1.5 Filter by remote address
ss -4 IPv4 sockets only
ss -6 IPv6 sockets only

Troubleshooting

ss -p does not show process names
Process information for sockets owned by other users requires elevated privileges. Use sudo ss -tp or sudo ss -tulpn.

Filters return no results
Use quoted filter expressions such as ss -tn 'dport = :443', and verify whether you should filter by sport or dport.

Service names hide numeric ports
If output shows service names (ssh, http) instead of port numbers, add -n to keep numeric ports and avoid lookup ambiguity.

Output is too broad on busy servers
Start with protocol and state filters (-t, -u, state ESTABLISHED) and then add address or port filters to narrow results.

You need command-level context, not only sockets
Use ss with ps
or pgrep
when you need additional process detail.

FAQ

What is the difference between ss and netstat?
ss is the modern replacement for netstat. It reads directly from kernel socket structures, making it significantly faster on systems with many connections. netstat is part of the net-tools package, which is deprecated and not installed by default on most current distributions.

Why do I need sudo with ss -p?
Without root privileges, ss can only show process information for sockets owned by your own user. To see process names and PIDs for all sockets, run ss with sudo.

What does Recv-Q and Send-Q mean in the output?
Recv-Q is the number of bytes received but not yet read by the application. Send-Q is the number of bytes sent but not yet acknowledged by the remote host. Non-zero values on a listening socket or consistently high values can indicate a performance issue.

How do I find which process is using a specific port?
Run sudo ss -tulpn | grep :<port>. The -p flag adds process information and -n keeps port numbers numeric so the grep match is reliable.

Conclusion

ss is the standard tool for inspecting socket connections on modern Linux systems. The -tulpn combination covers most day-to-day needs, while the state and address filters make it easy to narrow results on busy servers. For related network diagnostics, see the ip
and ifconfig
command guides, or check listening ports
for a broader overview.