ss command in linux
One such utility is the 'ss' command, which stands for "Socket Statistics." It is a potent tool for inspecting and displaying detailed information about network sockets on a Linux system. The 'ss' command is an indispensable resource for network administrators, system administrators, and developers, offering insights into network connections, routing tables, and more.
Let’s consider the example: List All Sockets
When you execute this command, it provides a detailed list of established connections. This information includes the protocol type (e.g., TCP, UDP, RAW), local and foreign addresses, the state of each connection, and more.
ss
State: The state of the socket.LISTENmeans it's a service waiting for connections.ESTABLISHED(not shown) would mean an active connection.Recv-Q/Send-Q: The receive and send queues (data waiting to be read/sent).Local Address:Port: Your server's IP and port.0.0.0.0:22means it's listening for SSH (port 22) on all available IPv4 addresses.127.0.0.1:45391means it's listening on a port only for local (loopback) connections.[::]:22means it's listening for SSH on all available IPv6 addresses.
Peer Address:Port: The remote address and port for an established connection. For a listening socket, this is just0.0.0.0:*.
Syntax of `ss` command in Linux
Before diving into the intricacies of 'ss,' let's start with its basic syntax:
ss [options]Where [options] can be any combination of command-line options that modify the behavior of 'ss.' Below, we'll delve into some common options and their use cases.
Options Available in the `ss` command Linux
We will go through the most common options available.
Options | Description |
|---|---|
-t | Display TCP sockets |
-u | Display UDP sockets |
-l | Display listening sockets |
-a | Display all sockets (listening and non-listening) |
-e | Display detailed information (including users) |
-i | Display internal information |
-n | Show numerical addresses instead of resolving |
-r | Display the routing table |
-s | Display summary statistics |
-4 | Display only IPv4 sockets |
-6 | Display only IPv6 sockets |
-o | Show timers |
-p | Show process information |
-P | Show process statistics |
--timewait | Display TIME-WAIT sockets |
--listening | Display listening sockets |
--all | Display all sockets (listening and non-listening) |
--numeric | Show numerical addresses instead of resolving |
--extended | Display extended socket information |
--resolve | Resolve hostnames |
--processes | Display process information |
--processes-raw | Display process information in raw format |
--summary | Display summary statistics |
Note : This is not an exhaustive list, and the 'ss' command offers additional options and flexibility. You can explore further options and combinations by referring to the 'ss' manual page using the command man ss in your terminal.
Displaying Socket Information:
Filtering by Protocol:
You can narrow down the socket list by specifying a particular protocol. For instance, if you want to view only TCP sockets, use the -t option like this:
ss -tThis command displays only TCP sockets, making it easier to focus on a specific type of connection.
Display Listening Sockets:
To see all sockets currently in the listening state (sockets waiting for incoming connections), employ the -l option:
ss -l
This command helps you identify which services or applications are actively listening for incoming network connections.
Display Established Connections:
If you're interested in viewing exclusively established connections (sockets that are actively communicating), use the -e option:
ss -e
This command provides a concise list of connections that are currently established, omitting listening or other states.
Advanced Filtering and Display Options:
The 'ss' command offers more advanced options for filtering and customizing the displayed socket information.
Filter by Port:
To filter sockets based on a specific port number, you can use commands like this:
ss sport = :80This command, for example, displays sockets with a source port of 80. It's useful for pinpointing connections related to a particular service or port.
Display IPv6 Sockets:
If you need to view IPv6 sockets in addition to IPv4, use the `-6` option:
ss -6This command allows you to see both IPv4 and IPv6 socket information.
Display Summary Statistics:
To obtain summary statistics about various socket types, utilize the -s option:
ss -sRunning this command provides a summarized overview of socket types, including their counts and various states.
Real-World Examples:
Example 1: Display TCP Connections to Port 22 (SSH):
ss -t sport = :22This command specifically displays TCP connections with a source port of 22, which is typically associated with SSH connections. It helps you identify active SSH sessions.
Example 2: Show UDP Listening Ports:
ss -ulThis command lists all UDP sockets in the listening state, which is valuable for identifying open UDP ports on your system.
Example 3: Display Summary Statistics for TCP and UDP:
ss -s -t -uHere, the command combines `-s` with `-t`and `-u` to provide summary statistics separately for TCP and UDP socket types, offering insights into the overall network usage on your system.
How ss Works (Why Is It Faster?)
ss is the modern replacement for netstat because it is significantly faster and more efficient, especially on busy servers.
netstat(The Old Way): Works by reading and parsing large text files from the/procfilesystem (like/proc/net/tcp). On a server with 100,000 connections, this file is massive, andnetstatbecomes extremely slow and CPU-intensive.ss(The Modern Way): Works by communicating directly with the Linux kernel via thenetlinksocket. This is an efficient binary protocol.sssimply asks the kernel for the specific data it needs, and the kernel provides it directly, avoiding the need to read and parse huge files.
