ss — Inspect Socket Statistics and Network Connections
Practical guide to ss — query socket statistics, listening ports, protocol filters and TCP states from the kernel, with examples for everyday server work.
ss is the fast, modern replacement for netstat on Linux: instead of iterating through proc filesystem entries, it reads socket statistics directly from the kernel netlink interface – and returns active connections, listening ports and TCP states in milliseconds. This guide shows you how to check what is listening on your system, which process owns the socket and which connection states are currently active.
Basic Usage
ss — Show all established connections.
ssss -l — Show only listening sockets.
ss -lss -a — Show all sockets (listening and established).
ss -ass -s — Show socket statistics summary (total, TCP, UDP, RAW counts).
ss -sProtocol Filters
ss -t — Show TCP connections only.
ss -tss -u — Show UDP sockets only.
ss -uss -w — Show RAW sockets only.
ss -wss -x — Show Unix domain sockets only.
ss -xss -4 — Show IPv4 sockets only.
ss -4ss -6 — Show IPv6 sockets only.
ss -6ss -tl — Show TCP listening sockets.
ss -tlss -ul — Show UDP listening sockets.
ss -ulss -tua — Show all TCP and UDP sockets.
ss -tuaDisplay Options
ss -n — Numeric output — do not resolve service names or hostnames.
ss -nss -p — Show process using the socket (requires root for other users' processes).
sudo ss -pss -e — Show extended socket information (UID, inode, cookie).
ss -ess -m — Show socket memory usage.
ss -mss -ti — Show internal TCP information (congestion, RTT, window sizes).
ss -tiss -to — Show timer information (keepalive, retransmit timers).
ss -toss -Z — Show SELinux security context.
ss -ZCommon Combinations
ss -tlnp — Show TCP listening ports with port numbers and process info. The most commonly used combination.
sudo ss -tlnpss -tulnp — Show all TCP and UDP listening ports with processes.
sudo ss -tulnpss -tanp — Show all TCP connections with port numbers and processes.
sudo ss -tanpss -ti — Show TCP connections with internal info (congestion window, RTT, MSS).
ss -tiss -tlnpe — Show listening TCP ports with process, numeric, and extended info.
sudo ss -tlnpeFiltering by Port
ss -tln sport = :PORT — Show sockets listening on a specific port.
ss -tln sport = :80ss -tn dport = :PORT — Show connections to a specific destination port.
ss -tn dport = :443ss -tln sport = :PORT1 or sport = :PORT2 — Filter by multiple ports using OR.
ss -tln 'sport = :80 or sport = :443'ss -tn sport gt :1024 — Show connections with source port greater than 1024.
ss -tn 'sport gt :1024'ss -tn sport lt :1024 — Show connections with privileged source ports (< 1024).
ss -tn 'sport lt :1024'Filtering by Address
ss -tn dst ADDRESS — Show connections to a specific destination address.
ss -tn dst 8.8.8.8ss -tn src ADDRESS — Show connections from a specific source address.
ss -tn src 192.168.1.100ss -tn dst NETWORK/CIDR — Show connections to a specific network.
ss -tn dst 10.0.0.0/8Filtering by State
ss -t state established — Show only established TCP connections.
ss -t state establishedss -t state listening — Show only listening TCP sockets.
ss -t state listeningss -t state time-wait — Show only TIME-WAIT connections.
ss -t state time-waitss -t state close-wait — Show only CLOSE-WAIT connections (may indicate application issues).
ss -t state close-waitss -t state fin-wait-1 — Show connections in FIN-WAIT-1 state.
ss -t state fin-wait-1ss -t state syn-sent — Show connections in SYN-SENT state (outgoing connection attempts).
ss -t state syn-sentss -t state syn-recv — Show connections in SYN-RECV state (incoming connection attempts).
ss -t state syn-recvss -t state connected — Show all connected (non-listening) sockets.
ss -t state connectedPractical Examples
ss -tlnp | grep :80 — Check which process is listening on port 80.
sudo ss -tlnp | grep :80ss -tn state established | wc -l — Count the number of established TCP connections.
ss -tn state established | wc -lss -tn state established dst :443 | wc -l — Count established HTTPS connections.
ss -tn state established dst :443 | wc -lss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head — Show top 10 remote IPs by connection count.
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | headss -t state time-wait | wc -l — Count TIME-WAIT connections (high numbers may indicate connection churn).
ss -t state time-wait | wc -lwatch -n 1 'ss -s' — Continuously monitor socket statistics.
watch -n 1 'ss -s'ss -tnp | grep ssh — Find all SSH connections.
ss -tnp | grep sshss -lnp | grep -E ':(80|443|8080|8443) ' — Check all common web server ports.
sudo ss -lnp | grep -E ':(80|443|8080|8443) 'Conclusion
ss has definitively replaced netstat on modern Linux systems – with direct kernel access, expressive filter syntax and significantly shorter response times. For day-to-day work sudo ss -tlnp is usually enough to see what is listening and where; for diagnosis -i gives you deep insight into TCP internals that netstat never offered.
Further Reading
- ss(8) – manual page – all options at a glance
- iproute2 – Wikipedia – background and history of the tool suite