The socket statistics command, aka ss, has replaced everyone's favorite network troubleshooting and stats command netstat. They say that technology is rapidly evolving, but I find that those of us who work with it every day are sometimes slow to give up our favorite tools and commands for the shiny and new utilities. I recently explored the netstat command here on EnableSysadmin and thought it only fair to give ss the same air-time.
Basic functions
I want to take a look at the most common uses for ss and what information is gleaned through the various options and flags. For starters, we need to discuss what capabilities that ss brings to the table.
ss is a command-line tool that provides socket stats and displays various information based on various protocols. It can display port stats, TCP, UDP, RAW, and more.
Without options
If we run the ss command with no additional input, we get a rather long list (usually) of TCP socket information. Seen here:
tcarrigan@rhel ~]$ ss
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 39141 * 39142
u_str ESTAB 0 0 /run/systemd/journal/stdout 40978 * 40451
u_str ESTAB 0 0 * 34449 * 34448
u_str ESTAB 0 0 * 33468 * 32519
u_str ESTAB 0 0 /run/systemd/journal/stdout 23030 * 21973
*Note this output was shortened*
Keep in mind that if you need the full results of this command or want to search through the results, write the full output to a file:
# ss > output.txt
List listening sockets
To view only listening ports, use the following:
[tcarrigan@rhel ~]$ ss -l
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
nl UNCONN 0 0 rtnl:evolution-addre/2592 *
nl UNCONN 0 0 rtnl:-2113928297 *
nl UNCONN 0 0 rtnl:-2130705133 *
List all TCP and UDP connections
To view only TCP connection, use the following:
[tcarrigan@rhel ~]$ ss -t
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.2.15:40668 172.217.13.238:https
ESTAB 0 0 10.0.2.15:47972 23.49.248.152:https
ESTAB 0 0 10.0.2.15:40254 173.223.72.39:https
ESTAB 0 0 10.0.2.15:44976 99.84.221.9:https
ESTAB 0 0 10.0.2.15:44956 99.84.221.9:https
ESTAB 0 0 10.0.2.15:53300 209.167.231.15:https
ESTAB 0 0 10.0.2.15:33218 172.217.13.67:http
For listening TCP connections:
[tcarrigan@rhel ~]$ ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:hostmon 0.0.0.0:*
LISTEN 0 128 0.0.0.0:sunrpc 0.0.0.0:*
LISTEN 0 32 192.168.122.1:domain 0.0.0.0:*
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:*
LISTEN 0 128 [::]:hostmon [::]:*
LISTEN 0 128 [::]:sunrpc [::]:*
LISTEN 0 128 [::]:ssh [::]:*
LISTEN 0 5 [::1]:ipp [::]:*
The same flag and filter syntax is used for UDP:
[tcarrigan@rhel ~]$ ss -u
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 10.0.2.15%enp0s3:bootpc 10.0.2.2:bootps
or
[tcarrigan@rhel ~]$ ss -ul
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 0.0.0.0:53159 0.0.0.0:*
UNCONN 0 0 192.168.122.1:domain 0.0.0.0:*
UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
UNCONN 0 0 0.0.0.0%virbr0:bootps 0.0.0.0:*
UNCONN 0 0 0.0.0.0:sunrpc 0.0.0.0:*
UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:*
UNCONN 0 0 0.0.0.0:hostmon 0.0.0.0:*
UNCONN 0 0 [::]:sunrpc [::]:*
UNCONN 0 0 [::1]:323 [::]:*
UNCONN 0 0 [::]:mdns [::]:*
UNCONN 0 0 [::]:hostmon [::]:*
UNCONN 0 0 [::]:35757 [::]:*
Display sockets with PID
Much like netstat, you can display each socket with the process id of the service occupying it. To do this, use the following:
[tcarrigan@rhel ~]$ ss -p
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 39141 * 39142 users:(("gsd-wacom",pid=2251,fd=7))
u_str ESTAB 0 0 /run/systemd/journal/stdout 40978 * 40451
u_str ESTAB 0 0 * 34449 * 34448 users:(("dbus-daemon",pid=1979,fd=10))
*Note this output may vary based on system configuration*
Filter connections by IP type
For IPv4 connections:
[tcarrigan@rhel ~]$ ss -4
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp ESTAB 0 0 10.0.2.15%enp0s3:bootpc 10.0.2.2:bootps
tcp ESTAB 0 0 10.0.2.15:41406 172.217.9.196:https
tcp ESTAB 0 0 10.0.2.15:52148 172.217.164.170:https
tcp ESTAB 0 0 10.0.2.15:59082 23.15.8.121:http
tcp ESTAB 0 0 10.0.2.15:41176 66.235.147.239:https
tcp ESTAB 0 0 10.0.2.15:40004 172.217.7.174:http
For IPv6 connections:
[tcarrigan@rhel ~]$ ss -6
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
icmp6 UNCONN 0 0 *:ipv6-icmp *:*
Now, we know how to check socket/port connections and how to filter that information down into something useful. Let's take a look at how to pull summary statistics. Again, this is very similar to netstat.
How to pull summary stats
To view a summary of all connection stats, use the -s flag.
[tcarrigan@rhel ~]$ ss -s
Total: 1280
TCP: 47 (estab 27, closed 11, orphaned 0, timewait 10)
Transport Total IP IPv6
RAW 1 0 1
UDP 14 9 5
TCP 36 32 4
INET 51 41 10
FRAG 0 0 0
Wrapping up
These are some of the most common use cases for the ss command. As you can see, it is very similar to the netstat command, with two notable differences. First, the syntax is similar but shorter, so speed on the CLI is improved. Secondly, many of the ss commands in their default form give you information that would have required using options for netstat. Therefore, the ss command is objectively more user-friendly and verbose. I encourage you to wave goodbye to your old pal netstat and start using the ss command today.
[ Want more for your network? Download a free ebook on network automation with Ansible. ]
About the author
Tyler is the Sr. Community Manager at Enable Sysadmin, a submarine veteran, and an all-round tech enthusiast! He was first introduced to Red Hat in 2012 by way of a Red Hat Enterprise Linux-based combat system inside the USS Georgia Missile Control Center. Now that he has surfaced, he lives with his wife and son near Raleigh, where he worked as a data storage engineer before finding his way to the Red Hat team. He has written numerous technical documents, from military procedures to knowledgebase articles and even some training curricula. In his free time, he blends a passion for hiking, climbing, and bushcraft with video games and computer building. He is loves to read and enjoy a scotch or bourbon. Find him on Twitter or on LinkedIn.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit