Mastering `ss`: The Ultimate Utility to Investigate Sockets in Linux

Table of Contents#

Introduction to ss
Installation
Basic Usage & Output Interpretation
Filtering & Advanced Options
Common Use Cases
Best Practices
Troubleshooting with ss
Comparison with netstat
Conclusion
References

1. Introduction to `ss`#

The ss utility provides detailed insights into:

TCP/UDP sockets: State (e.g., ESTABLISHED, LISTEN, TIME_WAIT), traffic queues, and connection details.
UNIX domain sockets: Used for inter-process communication (IPC) on the same host.
Network namespaces: Isolate network stacks (e.g., in containers or virtual environments).

Key advantages over netstat:

Speed: Directly queries the kernel via Netlink (faster than netstat’s /proc parsing).
Feature depth: Exposes TCP internals (e.g., congestion window, RTT, timestamps) and advanced filtering.

2. Installation#

ss is part of the iproute2 package (a modern networking toolkit for Linux). Install it with:

On Debian/Ubuntu:#

sudo apt update && sudo apt install iproute2

On RHEL/CentOS/Rocky Linux:#

sudo yum install iproute2  # or `dnf install iproute2` for newer versions

3. Basic Usage & Output Interpretation#

Listing All Sockets#

To view all active sockets (TCP, UDP, UNIX, etc.):

ss

Output Columns (Example for TCP):#

Column	Description
`State`	Socket state (e.g., `ESTABLISHED`, `LISTEN`)
`Recv-Q`	Bytes queued for application to read
`Send-Q`	Bytes queued for network transmission
`Local Address:Port`	Local IP:Port
`Peer Address:Port`	Remote IP:Port

Filter by Socket Type#

TCP sockets: ss -t
UDP sockets: ss -u
UNIX sockets: ss -x
Listening sockets (add -l): ss -tl (TCP listening) or ss -ul (UDP listening)

Example: List All Listening TCP Ports#

ss -tl

Output (simplified):

State       Recv-Q Send-Q Local Address:Port  Peer Address:Port
LISTEN      0      4096   *:ssh               *:*
LISTEN      0      100    127.0.0.1:smtp      *:*
LISTEN      0      4096   :::http             :::*

4. Filtering & Advanced Options#

ss excels at precise filtering using keywords, ports, IPs, and socket states.

Filter by Socket State#

Common states: ESTABLISHED, LISTEN, TIME_WAIT, SYN_SENT, CLOSE_WAIT.

Example: Show only ESTABLISHED TCP connections:

ss -t state established

Filter by Port#

Source port: ss -t sport = :22 (TCP, source port 22)
Destination port: ss -t dport = :80 (TCP, destination port 80)

Filter by IP Address#

Local IP: ss -t dst 192.168.1.100 (connections to 192.168.1.100)
Remote IP: ss -t src 8.8.8.8 (connections from 8.8.8.8)

Show Process Info (`-p`)#

Requires root (or CAP_NET_ADMIN capability) to display the process using the socket:

sudo ss -tp state established

Output (simplified):

ESTAB      0      0      192.168.1.5:ssh       10.0.0.2:54321   users:(("sshd",pid=1234,fd=3))

Disable DNS Resolution (`-n`)#

For faster output (avoids reverse DNS lookups):

ss -tn state established

Show Timer Info (`-o`)#

Displays TCP timer details (e.g., retransmit, keepalive):

ss -to state established

5. Common Use Cases#

1. Check Open (Listening) Ports#

To list all TCP and UDP listening ports (numeric, no DNS):

ss -tuln

Output (simplified):

Netid State  Recv-Q Send-Q Local Address:Port  Peer Address:Port
tcp   LISTEN 0      4096   *:22                *:*
tcp   LISTEN 0      100    127.0.0.1:25        *:*
udp   LISTEN 0      4096   *:53                *:*

2. Find Which Process Uses a Port#

To identify the process behind port 80 (HTTP):

sudo ss -tulnp | grep :80

Output:

tcp   LISTEN 0      4096   *:80   *:*    users:(("nginx",pid=5678,fd=6))

3. Monitor Established SSH Connections#

Show all active SSH (port 22) connections:

ss -t state established '( sport = :22 )'

4. Analyze TCP Connection Details#

To view TCP options (e.g., window size, RTT) for a specific connection:

ss -ti dst 10.0.0.2

Output (simplified):

State: ESTABLISHED
Recv-Q: 0
Send-Q: 0
Local: 192.168.1.5:22 
Peer: 10.0.0.2:54321 
...
cwnd: 10, rtt: 100ms, ...

6. Best Practices#

1. Prefer `ss` Over `netstat`#

netstat is deprecated in many distributions. ss is faster, more feature-rich, and actively maintained.

2. Combine Filters for Precision#

Use logical operators (e.g., dst, sport, state) to narrow down results:

ss -t state established dst 192.168.1.0/24

3. Scripting: Use `-n` and Consistent Formats#

For automation, disable DNS lookups (-n) and use --json (for JSON output) or --csv (for CSV):

ss -tn --json | jq '.sockets[] | select(.state == "ESTABLISHED")'

4. Limit Scope with Namespaces#

To analyze sockets in a Docker container (via its network namespace):

sudo nsenter -n -t $(docker inspect -f '{{.State.Pid}}' my-container) ss -tuln

7. Troubleshooting with `ss`#

1. High `Recv-Q` (Backlog)#

A large Recv-Q means the application is not reading data fast enough (e.g., a slow database or misconfigured service).

Check:

ss -t state established | grep -v "Recv-Q:0"

2. High `Send-Q` (Transmission Queue)#

A large Send-Q suggests:

Network congestion (e.g., bandwidth saturation).
The remote peer is not acknowledging data (e.g., firewall drops, or peer is overloaded).

Check:

ss -t state established | grep -v "Send-Q:0"

3. `SYN_RECV` Flood (SYN Attacks)#

A surge in SYN_RECV sockets may indicate a SYN flood (DDoS) or misconfigured backlog:

ss -t state syn-recv | wc -l

Tune net.ipv4.tcp_max_syn_backlog (e.g., sysctl -w net.ipv4.tcp_max_syn_backlog=1024).

4. Excessive `TIME_WAIT` Sockets#

TIME_WAIT is normal (connections waiting to close), but too many can exhaust ports.

Check:

ss -t state time-wait | wc -l

Tune (with caution):

net.ipv4.tcp_tw_reuse=1 (reuse TIME_WAIT sockets for new connections).
net.ipv4.tcp_tw_recycle=0 (avoid breaking NAT; deprecated in newer kernels).

8. Comparison with `netstat`#

Feature	`ss`	`netstat`
Speed	Fast (Netlink)	Slow (parses `/proc/net/*`)
Feature Depth	Exposes TCP internals (RTT, cwnd)	Basic state/port info
Maintenance	Actively maintained (iproute2)	Deprecated (rarely updated)
Namespace Support	Yes (via `nsenter`)	No

9. Conclusion#

The ss utility is an indispensable tool for Linux network analysis. Its speed, advanced filtering, and deep kernel integration make it ideal for troubleshooting connections, identifying port conflicts, and diagnosing performance issues. By mastering ss, you’ll gain a powerful ally in debugging complex network problems.

10. References#

ss man page: man ss (or online)
iproute2 documentation: iproute2.github.io
Linux Kernel Netlink: Kernel Docs
TCP Tuning: Red Hat Documentation

Use ss to unlock deep insights into your Linux system’s network behavior. Experiment with its options, and let it become your go-to tool for network troubleshooting! 🛠️

Table of Contents#

1. Introduction to ss#

2. Installation#

On Debian/Ubuntu:#

On RHEL/CentOS/Rocky Linux:#

3. Basic Usage & Output Interpretation#

Listing All Sockets#

Output Columns (Example for TCP):#

Filter by Socket Type#

Example: List All Listening TCP Ports#

4. Filtering & Advanced Options#

Filter by Socket State#

Filter by Port#

Filter by IP Address#

Show Process Info (-p)#

Disable DNS Resolution (-n)#

Show Timer Info (-o)#

5. Common Use Cases#

1. Check Open (Listening) Ports#

2. Find Which Process Uses a Port#

3. Monitor Established SSH Connections#

4. Analyze TCP Connection Details#

6. Best Practices#

1. Prefer ss Over netstat#

2. Combine Filters for Precision#

3. Scripting: Use -n and Consistent Formats#

4. Limit Scope with Namespaces#

7. Troubleshooting with ss#

1. High Recv-Q (Backlog)#

2. High Send-Q (Transmission Queue)#

3. SYN_RECV Flood (SYN Attacks)#

4. Excessive TIME_WAIT Sockets#

8. Comparison with netstat#

9. Conclusion#

10. References#

1. Introduction to `ss`#

Show Process Info (`-p`)#

Disable DNS Resolution (`-n`)#

Show Timer Info (`-o`)#

1. Prefer `ss` Over `netstat`#

3. Scripting: Use `-n` and Consistent Formats#

7. Troubleshooting with `ss`#

1. High `Recv-Q` (Backlog)#

2. High `Send-Q` (Transmission Queue)#

3. `SYN_RECV` Flood (SYN Attacks)#

4. Excessive `TIME_WAIT` Sockets#

8. Comparison with `netstat`#