# ss — Inspect Socket Statistics and Network Connections > Practical guide to ss — query socket statistics, listening ports, protocol filters and TCP states from the kernel, with examples for everyday server work. Source: https://www.jpkc.com/db/en/cheatsheets/networking/ss/ `ss` is the fast, modern replacement for `netstat` on Linux: instead of iterating through proc filesystem entries, it reads socket statistics directly from the kernel netlink interface – and returns active connections, listening ports and TCP states in milliseconds. This guide shows you how to check what is listening on your system, which process owns the socket and which connection states are currently active. ## Basic Usage `ss` — Show all established connections. ```bash ss ``` `ss -l` — Show only listening sockets. ```bash ss -l ``` `ss -a` — Show all sockets (listening and established). ```bash ss -a ``` `ss -s` — Show socket statistics summary (total, TCP, UDP, RAW counts). ```bash ss -s ``` ## Protocol Filters `ss -t` — Show TCP connections only. ```bash ss -t ``` `ss -u` — Show UDP sockets only. ```bash ss -u ``` `ss -w` — Show RAW sockets only. ```bash ss -w ``` `ss -x` — Show Unix domain sockets only. ```bash ss -x ``` `ss -4` — Show IPv4 sockets only. ```bash ss -4 ``` `ss -6` — Show IPv6 sockets only. ```bash ss -6 ``` `ss -tl` — Show TCP listening sockets. ```bash ss -tl ``` `ss -ul` — Show UDP listening sockets. ```bash ss -ul ``` `ss -tua` — Show all TCP and UDP sockets. ```bash ss -tua ``` ## Display Options `ss -n` — Numeric output — do not resolve service names or hostnames. ```bash ss -n ``` `ss -p` — Show process using the socket (requires root for other users' processes). ```bash sudo ss -p ``` `ss -e` — Show extended socket information (UID, inode, cookie). ```bash ss -e ``` `ss -m` — Show socket memory usage. ```bash ss -m ``` `ss -ti` — Show internal TCP information (congestion, RTT, window sizes). ```bash ss -ti ``` `ss -to` — Show timer information (keepalive, retransmit timers). ```bash ss -to ``` `ss -Z` — Show SELinux security context. ```bash ss -Z ``` ## Common Combinations `ss -tlnp` — Show TCP listening ports with port numbers and process info. The most commonly used combination. ```bash sudo ss -tlnp ``` `ss -tulnp` — Show all TCP and UDP listening ports with processes. ```bash sudo ss -tulnp ``` `ss -tanp` — Show all TCP connections with port numbers and processes. ```bash sudo ss -tanp ``` `ss -ti` — Show TCP connections with internal info (congestion window, RTT, MSS). ```bash ss -ti ``` `ss -tlnpe` — Show listening TCP ports with process, numeric, and extended info. ```bash sudo ss -tlnpe ``` ## Filtering by Port `ss -tln sport = :PORT` — Show sockets listening on a specific port. ```bash ss -tln sport = :80 ``` `ss -tn dport = :PORT` — Show connections to a specific destination port. ```bash ss -tn dport = :443 ``` `ss -tln sport = :PORT1 or sport = :PORT2` — Filter by multiple ports using OR. ```bash ss -tln 'sport = :80 or sport = :443' ``` `ss -tn sport gt :1024` — Show connections with source port greater than 1024. ```bash ss -tn 'sport gt :1024' ``` `ss -tn sport lt :1024` — Show connections with privileged source ports (< 1024). ```bash ss -tn 'sport lt :1024' ``` ## Filtering by Address `ss -tn dst ADDRESS` — Show connections to a specific destination address. ```bash ss -tn dst 8.8.8.8 ``` `ss -tn src ADDRESS` — Show connections from a specific source address. ```bash ss -tn src 192.168.1.100 ``` `ss -tn dst NETWORK/CIDR` — Show connections to a specific network. ```bash ss -tn dst 10.0.0.0/8 ``` ## Filtering by State `ss -t state established` — Show only established TCP connections. ```bash ss -t state established ``` `ss -t state listening` — Show only listening TCP sockets. ```bash ss -t state listening ``` `ss -t state time-wait` — Show only TIME-WAIT connections. ```bash ss -t state time-wait ``` `ss -t state close-wait` — Show only CLOSE-WAIT connections (may indicate application issues). ```bash ss -t state close-wait ``` `ss -t state fin-wait-1` — Show connections in FIN-WAIT-1 state. ```bash ss -t state fin-wait-1 ``` `ss -t state syn-sent` — Show connections in SYN-SENT state (outgoing connection attempts). ```bash ss -t state syn-sent ``` `ss -t state syn-recv` — Show connections in SYN-RECV state (incoming connection attempts). ```bash ss -t state syn-recv ``` `ss -t state connected` — Show all connected (non-listening) sockets. ```bash ss -t state connected ``` ## Practical Examples `ss -tlnp | grep :80` — Check which process is listening on port 80. ```bash sudo ss -tlnp | grep :80 ``` `ss -tn state established | wc -l` — Count the number of established TCP connections. ```bash ss -tn state established | wc -l ``` `ss -tn state established dst :443 | wc -l` — Count established HTTPS connections. ```bash ss -tn state established dst :443 | wc -l ``` `ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head` — Show top 10 remote IPs by connection count. ```bash ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head ``` `ss -t state time-wait | wc -l` — Count TIME-WAIT connections (high numbers may indicate connection churn). ```bash ss -t state time-wait | wc -l ``` `watch -n 1 'ss -s'` — Continuously monitor socket statistics. ```bash watch -n 1 'ss -s' ``` `ss -tnp | grep ssh` — Find all SSH connections. ```bash ss -tnp | grep ssh ``` `ss -lnp | grep -E ':(80|443|8080|8443) '` — Check all common web server ports. ```bash sudo ss -lnp | grep -E ':(80|443|8080|8443) ' ``` ## Conclusion `ss` has definitively replaced `netstat` on modern Linux systems – with direct kernel access, expressive filter syntax and significantly shorter response times. For day-to-day work `sudo ss -tlnp` is usually enough to see what is listening and where; for diagnosis `-i` gives you deep insight into TCP internals that `netstat` never offered. ## Further Reading - [ss(8) – manual page](https://man7.org/linux/man-pages/man8/ss.8.html) – all options at a glance - [iproute2 – Wikipedia](https://en.wikipedia.org/wiki/Iproute2) – background and history of the tool suite ## Related Commands - [netstat](https://www.jpkc.com/db/en/cheatsheets/networking/netstat/) – predecessor of ss, still pre-installed on many systems - [ip](https://www.jpkc.com/db/en/cheatsheets/networking/ip/) – manage network interfaces, routes and addresses - [iftop](https://www.jpkc.com/db/en/cheatsheets/networking/iftop/) – display network bandwidth by connection