Introduction
In Linux system administration, knowing the state of network connections is essential for diagnosing problems, optimizing performance, and ensuring security. For years, the netstat tool has been the standard, but its development has stalled and it presents limitations on modern systems.
What is ss?
The ss (socket statistics) command is part of the iproute2 package and provides a faster and more detailed way to inspect sockets, TCP, UDP, and other protocols. It leverages the kernel’s Netlink interface, allowing it to retrieve information almost in real time.
Installation
In most modern distributions, iproute2 comes pre-installed. If it is missing, simply install it from the package manager: on Debian/Ubuntu sudo apt-get install iproute2, on RHEL/CentOS sudo yum install iproute2, or on Fedora sudo dnf install iproute2.
Basic Syntax
The simplest form is to run ss without arguments, which displays a summarized list of all open sockets. For more detail, you can add options such as -t for TCP, -u for UDP, and -a to include both active and listening sockets.
Show All Connections
To view all TCP and UDP connections, use ss -a. This output includes the state (ESTAB, LISTEN, etc.), local and remote addresses, and the process identifier when combined with -p. It is useful for a quick overview of traffic.
Filter by Protocol
If you are only interested in TCP, run ss -t; for UDP, use ss -u. You can combine filters, for example ss -tu shows both protocols. Additionally, -4 and -6 limit the output to IPv4 or IPv6 respectively.
Show Listening Sockets
Services waiting for connections appear in the LISTEN state. Using ss -l lists only those sockets. Adding -t or -u yields TCP or UDP listeners, which helps verify which ports are open on the system.
Process Information
To associate each socket with its responsible process, use the -p option. This shows the PID and program name, which is indispensable when you need to identify which application is using a particular port.
Real-time Monitoring
Just like netstat -c, ss allows continuous updates with the -c option. Every second (or the specified interval) the information is reread, making it easy to detect rapid changes in connection state.
Comparison with netstat
While netstat reads information from various files in /proc, which can be slower on systems with many connections, ss queries the kernel directly via Netlink, providing almost instantaneous responses. Moreover, its output is more uniform and its filtering options are more powerful.
Advanced Options
Among the extra capabilities of ss are: -s to show summary statistics, -i for internal TCP information (such as the congestion algorithm), and -p with process filters like ss -p 'pid = 1234'. You can also combine them with regular expressions for IP addresses or ports.
Troubleshooting Common Issues
If running ss gives you a permission denied message, make sure to use sudo to access process information for other users. In containers or environments with capability restrictions, you may need to grant the CAP_NET_ADMIN privilege to view certain details.
Conclusion
The ss command represents a necessary evolution from the old netstat. Its speed, accuracy, and wealth of options make it the preferred tool for system administrators seeking efficient and modern network monitoring on Linux.
This post is also available in ESPAÑOL.