If you’re like me, you still cling to soon-to-be-deprecated commands like ifconfig, nslookup, and netstat. The new replacements are ip, dig, and ss, respectively. It’s time to (reluctantly) let go of legacy utilities and head into the future with ss. The ip command is worth a mention here because part of netstat‘s functionality has been replaced by ip. This article covers the essentials for the ss command so that you don’t have to dig (no pun intended) for them.
Introduction to ss
Formally, ss (socket statistics) is a command-line utility used to investigate sockets. It is the modern replacement for the older netstat tool. The primary advantage of ss over netstat is its ability to provide more detailed and more extensive information about network connections, making it an essential tool for network administrators and engineers.
Michael Prokop, the developer of ss, designed it to ease the transition from netstat by allowing some of netstat‘s options to operate similarly in ss. This compatibility helps users to switch without needing to learn an entirely new set of commands from scratch.
Basic Usage
Displaying TCP Sockets
One of the most common uses of netstat is to display TCP sockets. Here’s how you can do it with both netstat and ss:
With netstat:
$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 rhel8:ssh khess-mac:62036 ESTABLISHEDWith ss:
$ ss -t
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036The output from both commands provides similar information, showing active TCP connections.
Resolving Hostnames
To better mimic the output of netstat, you can use the -r (resolve) option in ss, which resolves hostnames:
$ ss -tr
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 rhel8:ssh khess-mac:62036Displaying Port Numbers
If you prefer seeing port numbers rather than their service names, use the -n option:
$ ss -ntr
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 rhel8:22 khess-mac:62036Displaying All Sockets
To display all sockets, including listening and non-listening, use the -a option:
$ ss -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036This command lists all sockets in various states.
Filtering by State
You can filter the output to show only sockets in a specific state. For example, to show only listening sockets:
$ ss -l
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*Displaying Unix Domain Sockets
To display Unix domain sockets, use the -x option:
$ ss -x
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 /run/user/0/systemd/private * 0
LISTEN 0 128 /var/lib/sss/pipes/private/sbus-dp_implicit_files.642 * 0Displaying Summary Statistics
To view summary statistics of all socket connections, use the -s option:
$ ss -s
Total: 182
TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0)
Transport Total IP IPv6
RAW 1 0 1
UDP 3 2 1
TCP 3 2 1
INET 7 4 3
FRAG 0 0 0Advanced Usage
Filtering by Address and Port
You can filter sockets based on local or remote addresses and ports. For example, to show all sockets connected to port 22:
$ ss -at '( dport = :22 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036To filter by local address:
$ ss -at '( src = 192.168.1.65 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036Combining Filters
You can combine multiple filters to refine your search. For example, to show all TCP connections to port 22 on a specific IP address:
$ ss -at '( dport = :22 and src = 192.168.1.65 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036Displaying Connection States
To display sockets in specific states such as ESTABLISHED, LISTEN, or CLOSE-WAIT:
$ ss state established
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036Displaying Network Interfaces
To display information about network interfaces, use the -i option:
$ ss -i
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 20241 * 0
skmem:(r0,rb79377,t0,tb32768,f1348,w0,o0,bl0,d0)Comparison with netstat
Displaying Group Memberships
Some functionality of netstat has been moved to the ip command. For example, to display group memberships:
With netstat:
$ netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
enp0s3 1 all-systems.mcast.net
lo 1 ff02::1
lo 1 ff01::1
enp0s3 1 ff02::1:ffa6:ab3e
enp0s3 1 ff02::1:ff8d:912c
enp0s3 1 ff02::1
enp0s3 1 ff01::1With ip:
$ ip maddr
1: lo
inet 224.0.0.1
inet6 ff02::1
inet6 ff01::1
2: enp0s3
link 01:00:5e:00:00:01
link 33:33:00:00:00:01
link 33:33:ff:8d:91:2c
link 33:33:ff:a6:ab:3e
inet 224.0.0.1
inet6 ff02::1:ffa6:ab3e
inet6 ff02::1:ff8d:912c
inet6 ff02::1
inet6 ff01::1Displaying Network Statistics
netstat provides detailed network statistics, which ss currently lacks:
With netstat:
$ netstat -s
Ip:
Forwarding: 2
6231 total packets received
2 with invalid addresses
0 forwarded
0 incoming packets discarded
3104 incoming packets delivered
2011 requests sent out
243 dropped because of missing route
<truncated>With ss:
$ ss -s
Total: 182
TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0)
Transport Total IP IPv6
RAW 1 0 1
UDP 3 2 1
TCP 3 2 1
INET 7 4 3
FRAG 0 0 0As you can see, ss provides a more concise summary of statistics compared to the detailed breakdown offered by netstat. For those who need granular statistics, this can be a limitation of ss.
Practical Examples
Monitoring Network Connections
One practical use of ss is to monitor active network connections in real-time. This can be especially useful for troubleshooting network issues or ensuring that services are running as expected.
To watch active connections, you can use watch with ss:
$ watch -n 1 'ss -t -a'This command updates the display every second, showing you the current state of TCP connections.
Checking Listening Ports
To see which ports are being listened to by various services on your system, use:
$ ss -ltn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*This command helps identify all listening TCP ports and the services bound to them, useful for ensuring that required services are up and running.
Diagnosing Network Problems
When diagnosing network problems, ss can be used to filter connections by various parameters to pinpoint issues.
For example, if you suspect an issue with connections to a specific server, you can filter by the remote address:
$ ss -t dst 192.168.1.94
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036This command shows all TCP connections to the specified remote address.
Analyzing Traffic on Specific Ports
To analyze traffic on a specific port, such as port 80 (HTTP), you can use:
$ ss -o state established '( dport = :80 or sport = :80 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port Timer
ESTAB 0 0 192.168.1.65:49852 93.184.216.34:80 on (5.34/8.74)This command shows established connections involving port 80, providing insight into web traffic.
Transitioning from netstat to ss
Transitioning from netstat to ss can be seamless if you understand the equivalent options and commands. Here are some common netstat commands and their ss equivalents:
Displaying Network Interface Statistics
With netstat:
$ netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 983 0 0 0 879 0 0 0 BMRU
lo 65536 8821 0 0 0 8821 0 0 0 LRUWith ss:
$ ss -i
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 20241 * 0
skmem:(r0,rb79377,t0,tb32768,f1348,w0,o0,bl0,d0)Displaying Routing Table
With netstat:
$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0With ip:
$ ip route
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.65Displaying Multicast Group Memberships
With netstat:
$ netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
enp0s3 1 all-systems.mcast.net
lo 1 ff02::1
lo 1 ff01::1
enp0s3 1 ff02::1:ffa6:ab3e
enp0s3 1 ff02::1:ff8d:912c
enp0s3 1 ff02::1
enp0s3 1 ff01::1
With ip:
$ ip maddr
1: lo
inet 224.0.0.1
inet6 ff02::1
inet6 ff01::1
2: enp0s3
link 01:00:5e:00:00:01
link 33:33:00:00:00:01
link 33:33:ff:8d:91:2c
link 33:33:ff:a6:ab:3e
inet 224.0.0.1
inet6 ff02::1:ffa6:ab3e
inet6 ff02::1:ff8d:912c
inet6 ff02::1
inet6 ff01::1Displaying Network Protocol Statistics
With netstat:
$ netstat -s
Ip:
Forwarding: 2
6231 total packets received
2 with invalid addresses
0 forwarded
0 incoming packets discarded
3104 incoming packets delivered
2011 requests sent out
243 dropped because of missing route
<truncated>With ss:
$ ss -s
Total: 182
TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0)
Transport Total IP IPv6
RAW 1 0 1
UDP 3 2 1
TCP 3 2 1
INET 7 4 3
FRAG 0 0 0As you can see, ss provides a summary rather than a detailed breakdown. While this can be useful for quick overviews, it might not provide the depth of information needed for thorough network diagnostics.
Conclusion
The ss command is a powerful and versatile tool that has effectively replaced netstat for investigating socket statistics. While it offers many of the same functionalities as netstat, it also introduces new features and more detailed output options. Transitioning to ss from netstat is made easier by the similar options and commands, allowing users to continue their network monitoring and troubleshooting activities with minimal adjustment.
By learning and mastering ss, you can take advantage of its capabilities to manage and diagnose network connections more efficiently. Whether you are monitoring active connections, checking listening ports, diagnosing network problems, or analyzing traffic, ss provides a robust set of options to help you get the job done.
So, embrace the future of network statistics with ss and leverage its powerful features to enhance your network administration tasks.
Français
English
العربية
Webhi.Technology
@WebHiTechnology