ss Command Linux: Complete Guide to Modern Socket Statistics and Network Analysis

The ss command is a powerful and modern utility for investigating sockets and network connections in Linux systems. As the successor to the traditional netstat command, ss provides faster performance and more detailed information about socket statistics, making it an essential tool for system administrators and network engineers.

Table of Contents

What is the ss Command?

The ss (socket statistics) command is a utility used to dump socket statistics and display information about network connections. It can show information about TCP, UDP, UNIX domain sockets, and more. Unlike netstat, which reads various /proc files, ss gets its information directly from the kernel, making it significantly faster and more efficient.

Key Advantages of ss over netstat:

Speed: Much faster execution, especially on systems with many connections
Efficiency: Uses netlink sockets to communicate directly with the kernel
Rich filtering: Advanced filtering capabilities using expressions
Better output: More detailed and structured information display

Basic ss Command Syntax

The basic syntax of the ss command is:

ss [options] [filter]

Essential Options

Option	Description
`-t`	Display TCP sockets
`-u`	Display UDP sockets
`-l`	Display only listening sockets
`-a`	Display all sockets (listening and non-listening)
`-n`	Show numerical addresses instead of resolving hosts
`-p`	Show process using the socket
`-s`	Show socket statistics summary
`-4`	Display IPv4 sockets only
`-6`	Display IPv6 sockets only

Practical Examples of ss Command

1. Display All Socket Connections

$ ss -a

This command shows all socket connections, both listening and established. The output includes various socket types:

Netid  State      Recv-Q Send-Q Local Address:Port  Peer Address:Port
u_str  ESTAB      0      0      * 25445              * 25446    
tcp    LISTEN     0      128    0.0.0.0:22           0.0.0.0:*
tcp    LISTEN     0      80     127.0.0.1:3306       0.0.0.0:*
tcp    ESTAB      0      0      192.168.1.100:22     192.168.1.50:54320

2. Show Only TCP Connections

$ ss -t

Output example:

State    Recv-Q Send-Q Local Address:Port   Peer Address:Port
ESTAB    0      0      192.168.1.100:22     192.168.1.50:54320
ESTAB    0      36     192.168.1.100:80     203.0.113.1:49152

3. Display Listening Ports Only

$ ss -l

This shows all listening sockets:

Netid  State   Recv-Q Send-Q Local Address:Port  Peer Address:Port
tcp    LISTEN  0      128    0.0.0.0:22          0.0.0.0:*
tcp    LISTEN  0      128    [::]:22             [::]:*
tcp    LISTEN  0      80     127.0.0.1:3306      0.0.0.0:*

4. Show TCP Listening Ports with Process Information

$ ss -tlp

Output with process details:

State   Recv-Q Send-Q Local Address:Port  Peer Address:Port  Process
LISTEN  0      128    0.0.0.0:22          0.0.0.0:*          users:(("sshd",pid=1234,fd=3))
LISTEN  0      80     127.0.0.1:3306      0.0.0.0:*          users:(("mysqld",pid=2345,fd=10))
LISTEN  0      128    0.0.0.0:80          0.0.0.0:*          users:(("apache2",pid=3456,fd=4))

5. Display Socket Statistics Summary

$ ss -s

This provides a comprehensive summary:

Total: 1089
TCP:   24 (estab:8, closed:12, orphaned:0, timewait:4)

Transport Total     IP        IPv6
RAW       1         0         1
UDP       8         6         2
TCP       12        10        2
INET      21        16        5
FRAG      0         0         0

Advanced Filtering with ss Command

1. Filter by State

You can filter connections by their state:

$ ss state established

Available states include:

established
syn-sent
syn-recv
fin-wait-1
fin-wait-2
time-wait
closed
close-wait
last-ack
listening
closing

2. Filter by Port

# Show connections on port 80
$ ss -t '( dport = :80 or sport = :80 )'

# Show connections on port range
$ ss -t '( dport >= :1000 and dport <= :2000 )'

3. Filter by IP Address

# Show connections to specific IP
$ ss dst 192.168.1.50

# Show connections from specific IP
$ ss src 192.168.1.100

4. Complex Filtering Examples

# TCP connections to port 443 from specific subnet
$ ss -t '( dport = :443 ) and ( src 192.168.1.0/24 )'

# All established connections except SSH
$ ss state established '( not dport = :22 )'

Monitoring Network Performance

1. Display Extended Socket Information

$ ss -i

This shows detailed socket information including congestion control algorithms and window sizes:

tcp   ESTAB  0      0   192.168.1.100:22  192.168.1.50:54320
     cubic wscale:7,7 rto:201 rtt:0.5/0.25 ato:40 mss:1448 
     cwnd:10 ssthresh:7 bytes_acked:2844 segs_out:25 segs_in:26

2. Memory Information

$ ss -m

Shows memory usage for each socket:

tcp   ESTAB  0      0   192.168.1.100:80  203.0.113.1:49152
     skmem:(r0,rb369280,t0,tb46080,f4096,w0,o0,bl0,d0)

Memory values explanation:

r: rmem_alloc (socket receive buffer)
rb: rcv_buf (socket receive buffer size)
t: wmem_alloc (socket send buffer)
tb: snd_buf (socket send buffer size)
f: fwd_alloc (forward allocation)
w: wmem_queued (write queue size)

Practical Use Cases for System Administration

1. Troubleshooting Network Issues

# Check for connections in TIME_WAIT state
$ ss -t state time-wait | wc -l

# Find processes using specific ports
$ ss -tulpn | grep :3306

# Monitor active connections
$ watch 'ss -t state established'

2. Security Analysis

# Find all listening services
$ ss -tulpn | grep LISTEN

# Check for suspicious connections
$ ss -t state established '( not dport = :22 and not dport = :80 and not dport = :443 )'

# Monitor connections from external IPs
$ ss -t src not 127.0.0.1 and src not 192.168.0.0/16

3. Performance Monitoring

# Check socket buffer usage
$ ss -m state established

# Monitor congestion window sizes
$ ss -i state established

# Track retransmissions
$ ss -i | grep -E 'retrans|lost'

Comparing ss with netstat

Task	netstat	ss
All connections	`netstat -a`	`ss -a`
TCP listening	`netstat -tl`	`ss -tl`
With processes	`netstat -tulpn`	`ss -tulpn`
Statistics	`netstat -s`	`ss -s`
Specific port	`netstat -an \| grep :80`	`ss -an dport = :80`

Advanced ss Command Features

1. Output Formatting

# Wide output format
$ ss -W

# Extended information
$ ss -e

# Output in JSON format (if supported)
$ ss -J

2. Timer Information

$ ss -o

Shows timer information for each socket:

tcp   ESTAB  0      0   192.168.1.100:22  192.168.1.50:54320
     timer:(keepalive,119min,0)

3. UNIX Domain Sockets

# Show UNIX sockets
$ ss -x

# UNIX sockets with process information
$ ss -xp

Creating Custom Monitoring Scripts

Here’s a practical bash script using ss for network monitoring:

#!/bin/bash
# network-monitor.sh

echo "=== Network Connection Summary ==="
ss -s

echo -e "\n=== Top 10 Most Active Connections ==="
ss -t state established -o | head -10

echo -e "\n=== Listening Services ==="
ss -tulpn | grep LISTEN | sort -k5

echo -e "\n=== Connections by State ==="
for state in established syn-sent syn-recv fin-wait-1 fin-wait-2 time-wait; do
    count=$(ss -t state $state | wc -l)
    echo "$state: $count"
done

Performance Optimization Tips

1. Using ss Efficiently

Use specific filters to reduce output and improve performance
Combine options effectively: ss -tlnp instead of multiple commands
Use numeric output (-n) to avoid DNS lookups
Filter early in the command rather than using grep

2. Monitoring Best Practices

# Good: Direct filtering
$ ss -t state established dport = :80

# Less efficient: Post-processing
$ ss -t state established | grep :80

Troubleshooting Common Network Issues

1. High Connection Count

# Check total connections
$ ss -s

# Identify connection states
$ ss -t | awk '{print $1}' | sort | uniq -c | sort -nr

# Find top connecting IPs
$ ss -tn | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nr

2. Port Binding Issues

# Check if port is in use
$ ss -tulpn | grep :8080

# Find process binding to all interfaces
$ ss -tlp | grep "0.0.0.0:80"

3. Socket Buffer Analysis

# Check for full receive queues
$ ss -m | grep -E "Recv-Q.*[1-9]"

# Monitor send queue buildup
$ ss -m | awk '$3 > 0 {print}'

Integration with Other Tools

1. Using with awk for Custom Reports

# Connection count by remote IP
$ ss -tn state established | awk 'NR>1 {print $4}' | cut -d: -f1 | sort | uniq -c

# Average receive queue size
$ ss -tn | awk 'NR>1 && $2>0 {sum+=$2; count++} END {print sum/count}'

2. Integration with Monitoring Systems

# Export metrics for Prometheus
$ ss -s | awk '/TCP:/ {print "tcp_connections " $2}'

# JSON output for APIs
$ ss -tn state established | awk 'NR>1 {printf "{\"local\":\"%s\",\"remote\":\"%s\",\"state\":\"%s\"}\n", $3, $4, $1}'

Best Practices and Tips

1. Regular Monitoring

Set up cron jobs to monitor connection statistics
Use ss in log analysis scripts
Combine with system monitoring tools
Create alerts for unusual connection patterns

2. Security Considerations

Regularly audit listening services
Monitor for unauthorized connections
Track connection patterns for anomaly detection
Use ss output in security incident response

3. Performance Monitoring

Track socket buffer utilization
Monitor retransmission rates
Watch for growing TIME_WAIT states
Analyze connection establishment patterns

Conclusion

The ss command is an invaluable tool for modern Linux system administration and network troubleshooting. Its speed, efficiency, and rich filtering capabilities make it superior to traditional tools like netstat. By mastering ss command syntax, filtering options, and practical applications, you can effectively monitor, troubleshoot, and optimize network performance on your Linux systems.

Whether you’re diagnosing connectivity issues, monitoring application performance, or conducting security audits, the ss command provides the detailed socket statistics and network insights needed for professional system administration. Practice with the examples provided, and incorporate ss into your regular monitoring workflows to become more effective in managing Linux network infrastructure.