How to Use the ss Command: A Comprehensive Guide
If you’re like many seasoned Linux users, you might still rely on commands like ifconfig, nslookup, and netstat. However, these are gradually being replaced by ip, dig, and ss, respectively. It’s time to embrace the future and move away from legacy utilities. The ip command also deserves attention as it handles some of the functionalities previously covered by netstat. This article will serve as your comprehensive guide to using the ss command effectively, saving you the trouble of extensive research. The focus of this guide is to help you understand How to Use the ss Command.
Introduction to ss
The ss command, short for socket statistics, is a command-line tool designed for investigating network sockets. It serves as a modern replacement for the older netstat tool. The key advantage of ss over netstat lies in its capability to provide more detailed and comprehensive information about network connections. This makes it an indispensable tool for network administrators and engineers.
Michael Prokop, the developer of ss, intentionally designed it to facilitate a smooth transition from netstat. He achieved this by enabling some of netstat’s options to function similarly within ss. This compatibility helps users adapt to the new tool without having to learn an entirely new command structure from the ground up. This article focuses on How to Use the ss Command in your daily tasks.
Basic Usage
Displaying TCP Sockets
A common task performed with netstat is displaying TCP sockets. Here’s how you can accomplish the same using both netstat and ss:
With netstat:
$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 rhel8:ssh khess-mac:62036 ESTABLISHEDWith ss:
$ ss -t
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036The output from both commands presents similar information, displaying active TCP connections.
Resolving Hostnames
To emulate the output of netstat more closely, you can use the -r (resolve) option in ss, which resolves hostnames:
$ ss -tr
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 rhel8:ssh khess-mac:62036Displaying Port Numbers
If you prefer viewing port numbers instead of their service names, use the -n option:
$ ss -ntr
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 rhel8:22 khess-mac:62036Displaying All Sockets
To display all sockets, including listening and non-listening ones, use the -a option:
$ ss -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036This command provides a list of all sockets in various states.
Filtering by State
You can filter the output to show only sockets in a specific state. For example, to show only listening sockets:
$ ss -l
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*Displaying Unix Domain Sockets
To display Unix domain sockets, use the -x option:
$ ss -x
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 /run/user/0/systemd/private * 0
LISTEN 0 128 /var/lib/sss/pipes/private/sbus-dp_implicit_files.642 * 0Displaying Summary Statistics
To view summary statistics of all socket connections, use the -s option:
$ ss -s
Total: 182
TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0)
Transport Total IP IPv6
RAW 1 0 1
UDP 3 2 1
TCP 3 2 1
INET 7 4 3
FRAG 0 0 0Advanced Usage
Filtering by Address and Port
You can filter sockets based on local or remote addresses and ports. For example, to show all sockets connected to port 22:
$ ss -at '( dport = :22 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036To filter by local address:
$ ss -at '( src = 192.168.1.65 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036Combining Filters
You can combine multiple filters to refine your search. For example, to show all TCP connections to port 22 on a specific IP address:
$ ss -at '( dport = :22 and src = 192.168.1.65 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036Displaying Connection States
To display sockets in specific states such as ESTABLISHED, LISTEN, or CLOSE-WAIT:
$ ss state established
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036Displaying Network Interfaces
To display information about network interfaces, use the -i option:
$ ss -i
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 20241 * 0
skmem:(r0,rb79377,t0,tb32768,f1348,w0,o0,bl0,d0)Comparison with netstat
Displaying Group Memberships
Some functionality of netstat has been moved to the ip command. For example, to display group memberships:
With netstat:
$ netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
enp0s3 1 all-systems.mcast.net
lo 1 ff02::1
lo 1 ff01::1
enp0s3 1 ff02::1:ffa6:ab3e
enp0s3 1 ff02::1:ff8d:912c
enp0s3 1 ff02::1
enp0s3 1 ff01::1With ip:
$ ip maddr
1: lo
inet 224.0.0.1
inet6 ff02::1
inet6 ff01::1
2: enp0s3
link 01:00:5e:00:00:01
link 33:33:00:00:00:01
link 33:33:ff:8d:91:2c
link 33:33:ff:a6:ab:3e
inet 224.0.0.1
inet6 ff02::1:ffa6:ab3e
inet6 ff02::1:ff8d:912c
inet6 ff02::1
inet6 ff01::1Displaying Network Statistics
netstat provides detailed network statistics, which ss currently lacks:
With netstat:
$ netstat -s
Ip:
Forwarding: 2
6231 total packets received
2 with invalid addresses
0 forwarded
0 incoming packets discarded
3104 incoming packets delivered
2011 requests sent out
243 dropped because of missing route
<truncated>With ss:
$ ss -s
Total: 182
TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0)
Transport Total IP IPv6
RAW 1 0 1
UDP 3 2 1
TCP 3 2 1
INET 7 4 3
FRAG 0 0 0As you can see, ss provides a more concise summary of statistics compared to the detailed breakdown offered by netstat. For those who need granular statistics, this can be a limitation of ss. Understanding How to Use the ss Command is still valuable, despite this limitation.
Practical Examples
Monitoring Network Connections
One practical use of ss is to monitor active network connections in real-time. This can be especially useful for troubleshooting network issues or ensuring that services are running as expected.
To watch active connections, you can use watch with ss:
$ watch -n 1 'ss -t -a'This command updates the display every second, showing you the current state of TCP connections.
Checking Listening Ports
To see which ports are being listened to by various services on your system, use:
$ ss -ltn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*This command helps identify all listening TCP ports and the services bound to them, useful for ensuring that required services are up and running.
Diagnosing Network Problems
When diagnosing network problems, ss can be used to filter connections by various parameters to pinpoint issues.
For example, if you suspect an issue with connections to a specific server, you can filter by the remote address:
$ ss -t dst 192.168.1.94
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036This command shows all TCP connections to the specified remote address.
Analyzing Traffic on Specific Ports
To analyze traffic on a specific port, such as port 80 (HTTP), you can use:
$ ss -o state established '( dport = :80 or sport = :80 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port Timer
ESTAB 0 0 192.168.1.65:49852 93.184.216.34:80 on (5.34/8.74)This command shows established connections involving port 80, providing insight into web traffic.
Transitioning from netstat to ss
Transitioning from netstat to ss can be seamless if you understand the equivalent options and commands. Here are some common netstat commands and their ss equivalents:
Displaying Network Interface Statistics
With netstat:
$ netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 983 0 0 0 879 0 0 0 BMRU
lo 65536 8821 0 0 0 8821 0 0 0 LRUWith ss:
$ ss -i
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 20241 * 0
skmem:(r0,rb79377,t0,tb32768,f1348,w0,o0,bl0,d0)Displaying Routing Table
With netstat:
$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0With ip:
$ ip route
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.65Displaying Multicast Group Memberships
With netstat:
$ netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
enp0s3 1 all-systems.mcast.net
lo 1 ff02::1
lo 1 ff01::1
enp0s3 1 ff02::1:ffa6:ab3e
enp0s3 1 ff02::1:ff8d:912c
enp0s3 1 ff02::1
enp0s3 1 ff01::1With ip:
$ ip maddr
1: lo
inet 224.0.0.1
inet6 ff02::1
inet6 ff01::1
2: enp0s3
link 01:00:5e:00:00:01
link 33:33:00:00:00:01
link 33:33:ff:8d:91:2c
link 33:33:ff:a6:ab:3e
inet 224.0.0.1
inet6 ff02::1:ffa6:ab3e
inet6 ff02::1:ff8d:912c
inet6 ff02::1
inet6 ff01::1Displaying Network Protocol Statistics
With netstat:
$ netstat -s
Ip:
Forwarding: 2
6231 total packets received
2 with invalid addresses
0 forwarded
0 incoming packets discarded
3104 incoming packets delivered
2011 requests sent out
243 dropped because of missing route
<truncated>With ss:
$ ss -s
Total: 182
TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0)
Transport Total IP IPv6
RAW 1 0 1
UDP 3 2 1
TCP 3 2 1
INET 7 4 3
FRAG 0 0 0As you can see, ss provides a summary rather than a detailed breakdown. While this can be useful for quick overviews, it might not provide the depth of information needed for thorough network diagnostics.
Conclusion
The ss command is a powerful and versatile tool that has effectively replaced netstat for investigating socket statistics. While it offers many of the same functionalities as netstat, it also introduces new features and more detailed output options. Transitioning to ss from netstat is made easier by the similar options and commands, allowing users to continue their network monitoring and troubleshooting activities with minimal adjustment. You now understand How to Use the ss Command.
By learning and mastering ss, you can take advantage of its capabilities to manage and diagnose network connections more efficiently. Whether you are monitoring active connections, checking listening ports, diagnosing network problems, or analyzing traffic, ss provides a robust set of options to help you get the job done.
So, embrace the future of network statistics with ss and leverage its powerful features to enhance your network administration tasks. How to Use the ss Command is a critical skill for modern system administrators.
Alternative Solutions for Network Monitoring
While ss is a valuable tool, other methods can be used for network monitoring and diagnostics, each offering different strengths and use cases. Here are two alternative approaches:
1. Using tcpdump for Packet Analysis
tcpdump is a powerful command-line packet analyzer that captures and displays network traffic. Unlike ss, which focuses on socket statistics, tcpdump allows you to inspect the actual packets being transmitted, providing deeper insights into network behavior.
Explanation:
tcpdump works by listening to network interfaces and capturing packets that match specified filter criteria. You can filter traffic by host, port, protocol, and other parameters, making it a versatile tool for troubleshooting network issues and analyzing traffic patterns.
Code Example:
To capture traffic on port 80 (HTTP) and display it in a human-readable format, you can use the following command:
sudo tcpdump -i eth0 port 80 -A-i eth0: Specifies the network interface to listen on (e.g.,eth0,wlan0).port 80: Filters traffic to only capture packets on port 80.-A: Displays the captured packets in ASCII format, making it easier to read the data being transmitted.
Benefits:
- Deep Packet Inspection: Allows you to examine the contents of network packets, providing detailed information about the data being transmitted.
- Troubleshooting: Helps identify network issues such as dropped packets, retransmissions, and protocol errors.
- Security Analysis: Can be used to detect malicious traffic and analyze network vulnerabilities.
Limitations:
- Complexity: Requires a good understanding of network protocols and packet structures to interpret the captured data effectively.
- Resource Intensive: Capturing and analyzing large amounts of traffic can consume significant system resources.
- Privacy Concerns: Capturing packet data may raise privacy concerns, especially if sensitive information is being transmitted.
2. Utilizing nmap for Network Discovery and Port Scanning
nmap (Network Mapper) is a versatile tool for network discovery and security auditing. It can be used to scan networks, identify hosts, and determine the services running on each host. While ss focuses on active connections, nmap can provide a broader view of the network landscape.
Explanation:
nmap works by sending various types of network probes to target hosts and analyzing the responses. It can identify open ports, detect operating systems, and gather other information about the target systems.
Code Example:
To scan a network (e.g., 192.168.1.0/24) and identify open ports, you can use the following command:
sudo nmap -p 1-100 192.168.1.0/24-p 1-100: Specifies the port range to scan (in this case, ports 1 to 100).192.168.1.0/24: Specifies the target network to scan.
Benefits:
- Network Discovery: Helps identify all active hosts on a network.
- Port Scanning: Determines which ports are open on each host, revealing the services running.
- Security Auditing: Can be used to identify potential security vulnerabilities and assess the network’s security posture.
Limitations:
- Intrusiveness: Network scanning can be considered intrusive and may trigger security alerts.
- Legality: Scanning networks without permission may be illegal in some jurisdictions.
- Accuracy: The accuracy of
nmap‘s results can be affected by firewalls and other security measures.
These alternative methods, combined with a strong understanding of How to Use the ss Command, provide a comprehensive toolkit for network monitoring and troubleshooting.