How to Use ss Command to Troubleshoot Network Issues on Linux
Abstract: use -a and -u options. This includes all states of the socket. ss -au 6. List all listening UDP connections You can combine -l and -u to display the U
Linux offers multiple tools for analyzing network statistics; ss is one of those command-line utilities. In this tutorial, we'll go through the fundamentals of the ss command with some easy examples.
ss CommandThe Socket Statistics (ss) command in Linux displays network socket information. When used to dump socket statistics, the ss command presents data like that of netstat, but more quickly and simply.
With ss, you can view detailed information about the sockets that are being used by your system, including their state, source and destination addresses, and other related information. It can display much more TCP and status information than most other tools.
Following is the output of the ss command, which shows data in different columns. The ss command without any options list all open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection.
We will look at all the columns one by one:
- Netid - It is simply a Socket type. TCP, UDP, SOCK_SEQPACKET, and ICMP are common types of sockets.
- State - The socket's state. Common states of sockets can be SYN-RECV, SYN-SENT, TIME-WAIT, or ESTB (established).
- recv-Q - Tells the number of packets that the queue receives.
- send-Q - Tells the number of packets sent from the queue.
- Local address: port - It shows the address of the local machine and the port.
- Peer address: port - It shows addresses and associated port numbers of the remote machines.
Syntax
ss [Options] [Filters]You can use several options and filters with the ss command to get the data according to your requirements. You can get a list of all the available options using the following command:
ss -hThe ss tool is included under iproute2 package and is the default in most Linux Distributions. To have netstat you need to install net-tools, which are already deprecated.
Compared to the netstat command, ss is quicker and simpler to use and provides information in a presentable format. ss fetches directly from the kernel.
The ss is not a complete replacement of netstat, some of the netstat command is replaced by ip command.
InstallationThe ss command line utility comes pre-installed with most Linux distributions. The ss tool comes with the iproute2 package. However, your distribution doesn't have it installed if you get the "ss command not found" error message while running this command.
You can install it using one of the following commands:
Ubuntu
sudo apt install iproute2 RedHat
sudo yum install iproute2 Fedora
sudo dnf install iprouteAs with all Linux commands, the ss command operates by sending out the command executable and then using any assortment of the available options to follow it.
The ss command has fewer available options than the netstat command. However, this doesn't mean that it is less in functionalities. The ss command is somewhat more robust.
Note: Executing the ss command without any options or filters returns an exhaustive list of TCP sockets with established connections.
1. List network connectionsYou can list all listening and non-listening network connections using the -a or -all option.
ss -a
2. List listening sockets
To display only listening sockets, which are omitted by default, use -l or --listen option.
ss -l
3. List TCP connections
To display the TCP socket connection, use the -t or --tcp option.
ss -t
To display the list of all the TCP connections, you can use the -a and -t options. This includes all states of the socket.
ss -at
To display the TCP connection for all the listening states, combine -l and -t options.
ss -altTo display the TCP connection for all the listening states, combine -l and -t options.
ss -alt
5. List UDP connections
To display the UDP socket connection, use -u or --udp option.
ss -uTo display the list of all the UDP connections, use -a and -u options. This includes all states of the socket.
ss -au
6. List all listening UDP connections
You can combine -l and -u to display the UDP connection for all the listening states.
ss -lu
7. List Unix sockets
To display all the Unix sockets, you can use the ss command along with -f unix or -x.
ss -f unix
8. List raw sockets
To display all the Raw sockets, you can use -w or --raw option.
ss -w
9. List the connection of an IP address
We can use ss command to display the list connection of a specific destination or source IP address.
For example to list connection of destination IP address:
ss dst 157.240.227.60
For example to list connection of source IP address:
ss src 192.168.18.151If you want to display the list of IPv4 socket connections use -4 option and -6 to display the list of IPv6 socket connections.
To display IPv4 socket connection list:
ss -4
To display the IPv6 socket connection list:
ss -6
To list all the IPv4 TCP connections, you can use the following example.
ss -at4
11. Identify processes
You can find the processes of sockets using the -p option along with the ss command. To identify the process, you will need sudo permission.
sudo ss -t -p 
12. List connections with no hostname resolution
To resolve the numeric address/ports use -r (resolve) option. Whereas the -n option does not try to resolve service names.
Here in the example, you can see the difference between the two:
$ ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 74.208.235.196:22 48.192.234.17:60216
$ ss -tr
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 64 li82-186.members.linode.com:ssh n47-172-231-17.sun4.vic.optusnet.com.au:60317
$The ss command allows advanced filtering of results and searching for specific ports or TCP states.
Filter using TCP statesTo filter TCP connection with state listening, type:
ss -t state listening
You can also use the grep command to filter conventionally. I'm showing all the TCP connections in the state of listening here:
ss -at | grep LISTEN
To display established ssh port connections:
ss -tr state established '( dport = :22 or sport = :22 )'Filter for a specific destination port number or port name:
ss <options> dst :<port number or name>For example, use a port name:
ss dst :https
ss Command Options
As stated earlier in the document, the ss command can take in some optional parameters to get specific information about the network. Following is the list of all the options and their corresponding description:
OptionsDescription-hDisplays a list of all options.-VDisplays the version information.-nService names are not resolved.-rHost names are resolved-aDisplays all sockets-lDisplays all listening sockets-oDisplays timer information-eshow detailed socket information-mshow socket memory usage-pshow process using socket-ishow internal TCP information–-tipcnfoshow internal tipc socket information-sshow socket usage summary-bshow bpf filter socket information-Econtinually display sockets as they are destroyed-Zdisplay process SELinux security contexts-zdisplay process and socket SELinux security contexts-Nswitch to the specified network namespace name-4display only IP version 4 sockets-6display only IP version 6 sockets-0display PACKET sockets-tdisplay only TCP sockets-Mdisplay only MPTCP sockets-Sdisplay only SCTP sockets-udisplay only UDP sockets-ddisplay only DCCP sockets-wdisplay only RAW sockets-xdisplay only Unix domain sockets-fFAMILY display sockets of type FAMILYFAMILY := {inet|inet6|link|unix|netlink|vsock|tipc|xdp|help}-Kforcibly close sockets, display what was closed-HSuppress header line-Osocket's data printed on a single line-DDump raw information about TCP sockets to FILE-Fread filter information from FILE ss command State FiltersIt provides a method for the construction of any set of matching states. Its syntax consists of the keywords state and excludes in that order, followed by the state's identifier.
Available identifiers established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listening, and closing are all common TCP statuses. The following table briefs all these states:
State FilterDescriptionallfor all the statesconnectedall the states except for listening and closedsynchronizedall the connected states except for syn-sentbucketstates, which are maintained as minisockets, i.e. time-wait and syn-recvbig opposite to bucket ConclusionThe ss command utility is an easier and faster successor to the primitive netstat command. It provides advanced filtering options for socket and network statistics. Therefore, it is a must-know tool for network troubleshooting use cases.
You can follow the man page of the ss command for more details.
