« Back to Cheat sheets

ss cheat sheet

This article is under development, so might change a few times in a short period. Got feedback or ideas to extend it? Let's improve it together!

Socket statistics, or ss, is a great nifty utility to show information about sockets. It can be used to show which TCP/UDP ports are opened or what services are listening.

Basic options

Long optionShort optionWhat the option does
--all-aShow both listening and non-listening sockets
--events-EShow sockets that are destroyed (closed connections)
--info-iInternal TCP information
--ipv4-4Only IPv4 sockets displayed
--ipv6-6Only IPv6 sockets displayed
--listening-lOnly show listening sockets
--no-header-HDo not show the header, great for one-liners and parsing the output
--numeric-nNumeric output, so conversion of names (services, ports) is skipped
--processes-pShow related process that interacts with the socket
--summary-sDisplay a summary with statistics at the top
--tcp-tShow TCP sockets
--udp-uShow UDP sockets

Creating a shell script? Then we suggest using the long format option, as this improves the readability. For quick use of on the command-line consider using the short notation of the related option.

Never used ss before? Run the following command to get a first good impression of the details.

ss -plants

Due to the ’name’, this set of options is easy to remember and shows many useful insights. It includes:

  • Summary
  • All connections
  • Does show port and service numbers instead of names
  • Includes process names

Query specific types of connections

By port number

On a web server it makes sense to see the open connections on HTTPS (port 443).

ss -nt sport = :443

To query multiple ports

ss -nt '( sport = :443 or sport = :80 )'

A slightly shorter version is by defining the side ‘src’ (source) or ‘dst’ (destination)

ss -nt '( src :443 or src :80 )'

By destination

To see active connections with a specific destination, define an expression including the IP address or address. For example to see connections on the 192.168.x.x network:

ss dst 192.168/16

Query specific details

See connection and transmission speed

The --info option reveals a lot of specifics, including the send and receive speed. Interesting fields

  • send
  • pacing_rate
  • delivery_rate
# ss --info dst 192.168.1.11 dport 2049
Netid               State               Recv-Q               Send-Q                               Local Address:Port                                 Peer Address:Port               Process               
tcp                 ESTAB               0                    0                                     192.168.1.10:682                                  192.168.1.11:nfs                
	 cubic wscale:9,7 rto:204 rtt:0.23/0.063 ato:40 mss:1448 pmtu:1500 rcvmss:1448 advmss:1448 cwnd:10 ssthresh:417 bytes_sent:594656932 bytes_retrans:1448 bytes_acked:594655485 bytes_received:347264820 segs_out:1116447 segs_in:852268 data_segs_out:1033392 data_segs_in:765849 send 504Mbps lastsnd:34580 lastrcv:34580 lastack:4364 pacing_rate 1.01Gbps delivery_rate 895Mbps delivered:1033393 busy:310384ms retrans:0/1 dsack_dups:1 reordering:7 reord_seen:1299 rcv_rtt:2.256 rcv_space:266348 rcv_ssthresh:1215980 minrtt:0.121

TLS/SSL version and Ciphers

Some protocol specifics can be displayed as well. In this example we see TLSv1.3 with the cipher AES-GCM-256 being used.

# ss -piment
ESTAB                   0                        0                                          11.22.33.44:443                                      55.66.77.88:37912                   users:(("nginx",pid=342995,fd=5)) uid:33 ino:28900680 sk:97 cgroup:/system.slice/nginx.service <->
	 skmem:(r0,rb131072,t0,tb4194304,f0,w0,o0,bl0,d0) ts sack cubic wscale:9,7 rto:204 rtt:0.286/0.082 ato:40 mss:1448 pmtu:1500 rcvmss:666 advmss:1448 cwnd:19 bytes_sent:14455 bytes_acked:14455 bytes_received:1261 segs_out:17 segs_in:12 data_segs_out:14 data_segs_in:4 send 769566434bps lastsnd:15744 lastrcv:15680 lastack:15680 pacing_rate 1538460456bps delivery_rate 260640000bps delivered:15 app_limited reordering:254 rcv_space:14600 rcv_ssthresh:64076 minrtt:0.18 snd_wnd:60928 tcp-ulp-tls version: 1.3 cipher: aes-gcm-256 rxconf: none txconf: sw

Tip: remember this set as options as ‘pigment’ without the g.

Monitoring connections

To see if there is traffic on a system, use the --events option. It will display the sockets that are destroyed. Or in other words, the connections that are closed. A great way to see the amount of traffic and great for monitoring or when to do system maintenance.

ss -n --events

Manually close a connection

The ss command can also be used to close active connections. It works for IPv4 and IPv6 and can be used with the --kill option. Typically you want to combine this with a specific IP address and optionally a port.

ss --kill dst 192.168.1.123 dport = 80

See timer information

Some services like SSH want to stay connected. They send a keepalive signal now and then to keep the connection active. For TCP connections, we can request timer information and see when a timer expires.

ss --options --tcp

The value displayed after ‘keepalive’ refers to the expiry time. So when renewing it, the values typically go down.

Relevant articles using ss command

The following articles include an example on how to use ss and might be worth further exploring.

Liked this cheat sheet? There are more!

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon