How to Monitor Network Connections on Linux With

ss



Linux utilities are a lifesaver for server administrators when it comes to troubleshooting and fixing network issues. Before, administrators used the netstat command to view network statistics and other socket-related information on Linux. But this command has now been deprecated for a better tool.


The ss command replaced netstat as it provides more detailed information than its predecessor. This article will demonstrate how you can use ss to extract socket-related information from your system.









What Is the ss Command?





The ss command, short for socket statistics, is a Linux utility that displays information related to network connections in a detailed and human-readable format. You can use ss to troubleshoot and find issues with your network as it provides complete details on the connections.


As mentioned before, ss replaced netstat, which was the original utility for listing socket statistics on Linux. The ss command is easy to use, provides more information, and delivers quick and accurate results.









How to Use ss on Linux





Using ss, you can list all the socket connections on your system. Furthermore, filtering the connections based on the type, destination address, and port number is also possible.








Basic Syntax



The basic syntax of the ss command is:








ss options




...where options is the flag that you can use to invoke the functions of the command.


The most simple ss command displays a list of all the established connections, irrespective of the connection type.








ss




Output:


Notice in the image above, the State column contains only a single value i.e. ESTAB, which denotes an established connection.


You will find the following column headings in the output:










Netid: This denotes the type of socket used for the connection. Possible values are TCP, UDP, u_seq (Unix sequence), and u_str (Unix string).


State: The State column displays the status of the connection. You'll find values such as ESTAB, UNCONN, and LISTEN, which stand for established, unconnected, and listening respectively.


Recv-Q: The number of received packets present in the queue.


Send-Q: The number of sent packets in the queue.


Local address and port: The local address of the user's machine and the port number.


Peer address and port: The address of the destination machine and the port number.


Get a List of All Sockets



Use the -a flag to display all the sockets present in the network, listening or non-listening.








ss -a




Output:








List All the Current Listening Sockets



To only retrieve information related to the sockets that are currently listening, use the -l flag with the command. The -l stands for Listening.








ss -l




Ss will display all the active listening sockets on your device or network. Note that almost every socket in the output has an unconnected state.


As soon as a listening socket gets an incoming connection, it creates a child socket and uses it to establish the connection. You can then use the Linux tcpdump utility to monitor and filter packets on your network.








Display TCP, UDP, and Unix Connections



On Linux, there are various types of sockets, including TCP, UDP, and Unix sockets. You can list all the connections belonging to a specific socket type with ss.


To list every TCP socket on your computer:








ss -t




Output:


The -u flag will display a list of all the UDP sockets:








ss -u




Output:


To retrieve a list of Unix sockets using ss, use the -x flag:








ss -x




Output:


By default, ss only displays the connected sockets. To get a list of all the sockets, irrespective of the connection state, use the -a flag with the command:








ss -ta
ss -ua
ss -xa


Filter TCP Connections Using State



TCP sockets have multiple states that you can use to filter the results. You can use the following socket states to filter the connections with ss: established, closed, listening, closing, all, connected, synchronized, bucket, big, time-wait, etc.


The basic format to filter TCP connections using the connection state is:








ss -t state filter




...where filter is the state of the connections, for example, established.


Related: Common Home Networking Terms and What They Mean








List IPv4 and IPv6 Connections



You can use the -4 and -6 flags to get a list of IPv4 and IPv6 sockets on your device:








ss -4
ss -6




Output:


You can also use the state method to filter IPv4 and IPv6 sockets.








ss -4 state established
ss -6 state established


Filter Connections Using Port Number



You can specify the dport and sport values in the ss command to filter connections using the port number and protocol. The dport and sport options stand for destination port and source port respectively.


To get information related to connections that have the source port 39700 or the destination port https:








ss -ta '( dport = :https or sport = :39700)'




Output:


You can also use the state method in conjunction with the port filter to get precise results:








ss -ta state established ‘( dport = :https or sport = :https )’


List Raw Sockets Using ss



You can use the -w or --raw flag to display raw sockets on your device:








ss -w
ss --raw




Output:








Show Connections With a Specific Device



Using ss, you can also display a list of connections with a specific destination address.








ss dst ipaddress




...where ipaddress is the address of the destination device.


For example:








Display Process IDs of the Connections



While troubleshooting a network, knowing the process ID of the problematic connection can help a lot.


To display the PIDs associated with TCP connections:








ss -t -p




Ss also displays the name of the application that established the connection.


Furthermore, you can get more detailed information on the process using the ps command.








Get a Summary of the Network Stats



The -s flag allows a user to view the overall summary of their network or device. The summary includes the number of total connections, the number and type of sockets, etc.








ss -s




Output:


Learn More: Why You Should Use Linux Networking Tools in WSL








Send the Output to a File



You can also save the output of the ss command to a file for later reference using the > output operator.








ss > output.txt




Output:








Implementing ss With grep



If you want to filter the data provided by ss but can't seem to recall the format of the command, you can pipe grep with ss to get desired results.


For example, to get a list of all the established TCP connections using ss and grep:








ss -t | grep ESTAB




Output:









Monitoring Network Connections on Linux





On Linux, there's a command for everything. From creating files to monitoring networks, you name it. But with this huge collection of utilities comes the question of which one's the best.


Apart from the software side of a computer, users should be well aware of the hardware specifications of their system as well. Several commands are available that allow a user to easily extract information related to their system and hardware.


#Linux
Linux