Examine Network Socket Connections with Linux ss Command Instead of Netstat

The Linux ‘ss’ command replaces the older ‘netstat’ and makes a lot of information about network and socket connections available for you to easily examine or troubleshoot issues. The ss (socket statistics) command provides a lot of information by displaying details on socket activity.

What is a Socket?

A socket is a Linux file descriptor for communicating with the network. In Linux, they say everything is a file. In this case, you can treat a socket like a file that writes to the network instead of writing to a disk. Sockets come in different flavors for TCP vs. UDP.

Why ss instead of netstat ?

I’ll say this right out of the gate, you can absolutely use either.

netstat gets its information from /proc/net directly. It parses the file and prints out information based on it.

ss was written more recently to use the netlink API (fall back to proc/net if netlink is unavailable). The information in both systems is essentially the same (from what I’ve seen), but here are some arguments for why to use ss

• It’s marginally/arguably faster (more optimized modern code).
• Netlink can exposes more TCP states.
• Better default options and argument.

None of these are a huge incentive to use one utility over the other realistically, which is why I expect a lot of people still use netstat. It’s also likely that netstat is installed more places and everyone knows netstat, its been around forever, like myself.

The default arguments is a little more compelling. netstat by default will try to resolve IP addresses through DNS which really slows it down. It also opens a bunch of new UDP sockets, which might clutter the picture if you’re investigating something. netstat -n stops this behavior, but ss has that on by default (you can use ss -r if you do want the resolution).

If you’re in to reading source code you’ll also find the source for ss a much more pleasant read 🙂

The ss -h (help) command to show a listing of the command’s numerous options but that can be a bit much to start exploring with. Let’s look at some of the basic commands and get an idea what each of them can tell you.

One very useful command is the ss -s command. This command will show you some overall stats by transport type. In this output, we see stats for RAW, UDP, TCP, INET and FRAG sockets.

# ss -s

RAW sockets allow direct sending and receiving of IP packets without protocol-specific transport layer formatting and are used for security applications such as nmap.

TCP provides transmission control protocol and is the primary connection protocol.

UDP (user datagram protocol) is similar to TCP but without the error checking.

INET includes both of the above. (INET4 and INET6 can be viewed separately with some ss commands.)

FRAG — fragmented

Clearly the by-protocol lines above aren’t displaying the totality of the socket activity. The figure in the Total line at the top of the output indicates that there is a lot more going on than the by-type lines suggest. Still, these breakdowns can be very useful.

To see a list of all socket activity, you can use the ss -a command, but be prepared to see a lot of activity — as suggested by this output. Much of the socket activity will be local to the system being examined.

# ss -a

If you want to see a specific category of socket activity:

ss -ta dumps all TCP socket

ss -ua dumps all UDP sockets

ss -wa dumps all RAW sockets

ss -xa dumps all UNIX sockets

ss -4a dumps all IPV4 sockets

ss -6a dumps all IPV6 sockets

The a in each of the commands above means “all”.

The ss command without arguments will display all established connections. A significant portion of the output below has been omitted for brevity.

# ss | more

To see just established tcp connections, use the -t option.

# ss -t

To display only listening sockets, try ss -lt.

# ss -lt

If you’d prefer to see port number than service names, try ss -ltn instead:

# ss -ltn

You may even want to add a few of the commands you find most useful in to aliases, for me in my “aliases” file on the servers I manage:

alias ss-listen=’ss -lt’
alias ss-sum=’ss -s’