Want to know more about how your system is communicating? Try the Linux ss command. It replaces the older netstat and makes a lot of information about network connections available for you to easily examine. Credit: Peter Meuris The ss (socket statistics) command provides a lot of information by displaying details on socket activity. One way to get started, although this may be a bit overwhelming, is to use the ss -h (help) command to get a listing of the command’s numerous options. Another is to try some of the more useful commands and get an idea what each of them can tell you. One very useful command is the ss -s command. This command will show you some overall stats by transport type. In this output, we see stats for RAW, UDP, TCP, INET and FRAG sockets. $ ss -s Total: 524 TCP: 8 (estab 1, closed 0, orphaned 0, timewait 0) Transport Total IP IPv6 RAW 2 1 1 UDP 7 5 2 TCP 8 6 2 INET 17 12 5 FRAG 0 0 0 Raw sockets allow direct sending and receiving of IP packets without protocol-specific transport layer formatting and are used for security appliications such as nmap. TCP provides transmission control protocol and is the primary connection protocol. UDP (user datagram protocol) is similar to TCP but without the error checking. INET includes both of the above. (INET4 and INET6 can be viewed separately with some ss commands.) FRAG — fragmented Clearly the by-protocol lines above aren’t displaying the totality of the socket activity. The figure in the Total line at the top of the output indicates that there is a lot more going on than the by-type lines suggest. Still, these breakdowns can be very useful. If you want to see a list of all socket activity, you can use the ss -a command, but be prepared to see a lot of activity — as suggested by this output. Much of the socket activity on this system is local to the system being examined. $ ss -a | wc -l 555 If you want to see a specific category of socket activity: ss -ta dumps all TCP socket ss -ua dumps all UDP sockets ss -wa dumps all RAW sockets ss -xa dumps all UNIX sockets ss -4a dumps all IPV4 sockets ss -6a dumps all IPV6 sockets The a in each of the commands above means “all”. The ss command without arguments will display all established connections. Notice that only two of the connections shown below are for external connections — two other systems on the local network. A significant portion of the output below has been omitted for brevity. $ ss | more Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_str ESTAB 0 0 * 20863 * 20864 u_str ESTAB 0 0 * 32232 * 33018 u_str ESTAB 0 0 * 33147 * 3257544ddddy u_str ESTAB 0 0 /run/user/121/bus 32796 * 32795 u_str ESTAB 0 0 /run/user/121/bus 32574 * 32573 u_str ESTAB 0 0 * 32782 * 32783 u_str ESTAB 0 0 /run/systemd/journal/stdout 19091 * 18113 u_str ESTAB 0 0 * 769568 * 768429 u_str ESTAB 0 0 * 32560 * 32561 u_str ESTAB 0 0 @/tmp/dbus-8xbBdjNe 33155 * 33154 u_str ESTAB 0 0 /run/systemd/journal/stdout 32783 * 32782 … tcp ESTAB 0 64 192.168.0.16:ssh 192.168.0.6:25944 tcp ESTAB 0 0 192.168.0.16:ssh 192.168.0.6:5385 To see just established tcp connections, use the -t option. $ ss -t State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 64 192.168.0.16:ssh 192.168.0.6:25944 ESTAB 0 0 192.168.0.16:ssh 192.168.0.9:5385 To display only listening sockets, try ss -lt. $ ss -lt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 10 127.0.0.1:submission 0.0.0.0:* LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:* LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:* LISTEN 0 10 127.0.0.1:smtp 0.0.0.0:* LISTEN 0 128 [::]:ssh [::]:* LISTEN 0 5 [::1]:ipp [::]:* If you’d prefer to see port number than service names, try ss -ltn instead: $ ss -ltn State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 10 127.0.0.1:587 0.0.0.0:* LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 5 127.0.0.1:631 0.0.0.0:* LISTEN 0 10 127.0.0.1:25 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 5 [::1]:631 [::]:* Plenty of help is available for the ss command either through the man page or by using the -h (help) option as shown below: $ ss -h Usage: ss [ OPTIONS ] ss [ OPTIONS ] [ FILTER ] -h, --help this message -V, --version output version information -n, --numeric don't resolve service names -r, --resolve resolve host names -a, --all display all sockets -l, --listening display listening sockets -o, --options show timer information -e, --extended show detailed socket information -m, --memory show socket memory usage -p, --processes show process using socket -i, --info show internal TCP information --tipcinfo show internal tipc socket information -s, --summary show socket usage summary -b, --bpf show bpf filter socket information -E, --events continually display sockets as they are destroyed -Z, --context display process SELinux security contexts -z, --contexts display process and socket SELinux security contexts -N, --net switch to the specified network namespace name -4, --ipv4 display only IP version 4 sockets -6, --ipv6 display only IP version 6 sockets -0, --packet display PACKET sockets -t, --tcp display only TCP sockets -S, --sctp display only SCTP sockets -u, --udp display only UDP sockets -d, --dccp display only DCCP sockets -w, --raw display only RAW sockets -x, --unix display only Unix domain sockets --tipc display only TIPC sockets --vsock display only vsock sockets -f, --family=FAMILY display sockets of type FAMILY FAMILY := {inet|inet6|link|unix|netlink|vsock|tipc|help} -K, --kill forcibly close sockets, display what was closed -H, --no-header Suppress header line -A, --query=QUERY, --socket=QUERY QUERY := {all|inet|tcp|udp|raw|unix|unix_dgram|unix_stream|unix_seqpacket|packet|netlink|vsock_stream|vsock_dgram|tipc}[,QUERY] -D, --diag=FILE Dump raw information about TCP sockets to FILE -F, --filter=FILE read filter information from FILE FILTER := [ state STATE-FILTER ] [ EXPRESSION ] STATE-FILTER := {all|connected|synchronized|bucket|big|TCP-STATES} TCP-STATES := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|closed|close-wait|last-ack|listening|closing} connected := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing} synchronized := {established|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing} bucket := {syn-recv|time-wait} big := {established|syn-sent|fin-wait-{1,2}|closed|close-wait|last-ack|listening|closing} The ss command clearly offers a huge range of options for examining sockets, but you still might want to turn those that provide you with the most useful information into aliases to make them more memorable. For example: $ alias listen="ss -lt" $ alias socksum="ss -s" Related content how-to How to examine files on Linux Linux provides very useful options for viewing file attributes, such as owners and permissions, as well as file content. By Sandra Henry Stocker Oct 24, 2024 6 mins Linux how-to 8 easy ways to reuse commands on Linux Typing the same command again and again can become tiresome. Here are a number of ways you can make repeating commands – or repeating commands but with some changes – a lot easier than you might expect. By Sandra Henry-Stocker Oct 15, 2024 5 mins Linux news SUSE Edge upgrade targets Kubernetes and Linux at the edge SUSE Edge 3.1 includes a new stack validation framework and an image builder tool that are aimed at improving the scalability and manageability of complex Kubernetes and Linux edge-computing deployments. By Sean Michael Kerner Oct 15, 2024 6 mins Edge Computing Linux Network Management Software how-to Lesser-known xargs command is a versatile time saver Boost your Linux command line options and simplify your work with xargs, a handy tool for a number of data manipulation tasks. By Sandra Henry Stocker Oct 11, 2024 6 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe