ss cheat sheet
Socket statistics, or ss, is a great nifty utility to show information about sockets on Linux systems. It can be used to show which TCP/UDP ports are opened or what services are listening. It is (slowly) replacing the older netstat command.
Common options
The ss command has many options available. Here are the most common ones that one might use during daily system administration or troubleshooting.
| Long option | Short option | Related action |
|---|---|---|
| --all | -a | Show both listening and non-listening sockets |
| --events | -E | Show sockets that are destroyed (closed connections) |
| --info | -i | Internal TCP information |
| --ipv4 | -4 | Only IPv4 sockets displayed |
| --ipv6 | -6 | Only IPv6 sockets displayed |
| --listening | -l | Only show listening sockets |
| --no-header | -H | Do not show the header, great for one-liners and parsing the output |
| --numeric | -n | Numeric output, conversion of names (services, ports) is skipped |
| --processes | -p | Show related process that interacts with the socket |
| --resolve | -r | Try resolving numeric values for addresses and ports |
| --summary | -s | Display a summary with statistics at the top |
| --tcp | -t | Show TCP sockets |
| --udp | -u | Show UDP sockets |
Creating a shell script? Then using the long format option is suggested, as this improves readability and understanding what related action is may perform. For quick use of on the command-line consider using the short notation of the related option.
Never used ss before? Run the following command to get a first good impression of the details.
ss -plants
This set of option is easy to remember and shows many useful insights. It includes:
- Summary
- All connections
- Does show port and service numbers instead of names
- Includes process names
Query specific types of connections
With the help of expressions, we can filter the data and display the specific information that we are looking for.
| Predicate | Operator | Filter unit | Explanation |
|---|---|---|---|
| autobound | Match if port or path was automatically allocated | ||
| cgroup | = or != | PATH | Match by path and connection is (not) part of cgroup |
| dev | = or != | DEVICE | Match by device (or not) |
| dst | = | HOST | Destination equals a specific host or network |
| src | = | HOST | Source equals a specific host or network |
| dport | “<”, “<=”, “=”, “!=”, “>=”, or “>” | [FAMILY:]:PORT | Match by destination port |
| sport | “<”, “<=”, “=”, “!=”, “>=”, or “>” | [FAMILY:]:PORT | Match by source port |
FAMILY is one of values: unix, inet, inet6, link, netlink, vsock, tipc, xdp
By port number
On a web server it makes sense to see the open connections on HTTPS (port 443).
ss -nt sport = :443
To query multiple ports
ss -nt '( sport = :443 or sport = :80 )'
A slightly shorter version is by defining the side ‘src’ (source) or ‘dst’ (destination)
ss -nt '( src :443 or src :80 )'
By destination
To see active connections with a specific destination, define an expression including the IP address or address. For example to see connections on the 192.168.x.x network:
ss dst 192.168/16
Query specific details
See connection and transmission speed
The --info option reveals a lot of specifics, including the send and receive speed. Interesting fields
- send
- pacing_rate
- delivery_rate
# ss --info dst 192.168.1.11 dport 2049
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp ESTAB 0 0 192.168.1.10:682 192.168.1.11:nfs
cubic wscale:9,7 rto:204 rtt:0.23/0.063 ato:40 mss:1448 pmtu:1500 rcvmss:1448 advmss:1448 cwnd:10 ssthresh:417 bytes_sent:594656932 bytes_retrans:1448 bytes_acked:594655485 bytes_received:347264820 segs_out:1116447 segs_in:852268 data_segs_out:1033392 data_segs_in:765849 send 504Mbps lastsnd:34580 lastrcv:34580 lastack:4364 pacing_rate 1.01Gbps delivery_rate 895Mbps delivered:1033393 busy:310384ms retrans:0/1 dsack_dups:1 reordering:7 reord_seen:1299 rcv_rtt:2.256 rcv_space:266348 rcv_ssthresh:1215980 minrtt:0.121
TLS/SSL version and Ciphers
Some protocol specifics can be displayed as well. In this example we see TLSv1.3 with the cipher AES-GCM-256 being used.
# ss -piment
ESTAB 0 0 11.22.33.44:443 55.66.77.88:37912 users:(("nginx",pid=342995,fd=5)) uid:33 ino:28900680 sk:97 cgroup:/system.slice/nginx.service <->
skmem:(r0,rb131072,t0,tb4194304,f0,w0,o0,bl0,d0) ts sack cubic wscale:9,7 rto:204 rtt:0.286/0.082 ato:40 mss:1448 pmtu:1500 rcvmss:666 advmss:1448 cwnd:19 bytes_sent:14455 bytes_acked:14455 bytes_received:1261 segs_out:17 segs_in:12 data_segs_out:14 data_segs_in:4 send 769566434bps lastsnd:15744 lastrcv:15680 lastack:15680 pacing_rate 1538460456bps delivery_rate 260640000bps delivered:15 app_limited reordering:254 rcv_space:14600 rcv_ssthresh:64076 minrtt:0.18 snd_wnd:60928 tcp-ulp-tls version: 1.3 cipher: aes-gcm-256 rxconf: none txconf: sw
Tip: remember this set as options as ‘pigment’ without the g.
Monitoring connections
To see if there is traffic on a system, use the --events option. It will display the sockets that are destroyed. Or in other words, the connections that are closed. A great way to see the amount of traffic and great for monitoring or when to do system maintenance.
ss -n --events
Manually close a connection
The ss command can also be used to close active connections. It works for IPv4 and IPv6 and can be used with the --kill option. Typically you want to combine this with a specific IP address and optionally a port.
ss --kill dst 192.168.1.123 dport = 80
See timer information
Some services like SSH want to stay connected. They send a keepalive signal now and then to keep the connection active. For TCP connections, we can request timer information and see when a timer expires.
ss --options --tcp
The value displayed after ‘keepalive’ refers to the expiry time. So when renewing it, the values typically go down.
