another utility to investigate sockets
[options] [ FILTER ]
is used to dump socket statistics. It allows showing
information similar to netstat. It can display more
TCP and state informations than other tools.
When no option
is used ss displays a list of open non-listening sockets
(e.g. TCP/UNIX/UDP) that have established connection.
Show summary of options.
Output version information.
Do not try to resolve service
Try to resolve numeric
Display both listening and
non-listening (for TCP this means established connections)
Display only listening sockets
(these are omitted by default).
Show timer information.
Show detailed socket
Show socket memory usage.
Show process using socket.
Show internal TCP
Print summary statistics. This
option does not parse socket lists obtaining summary from
various sources. It is useful when amount of sockets is so
huge that parsing /proc/net/tcp is painful.
As the −p option
but also shows process security context.
netlink(7) sockets the initiating process context is
displayed as follows:
If valid pid show the process context.
If destination is kernel (pid = 0) show kernel initial
If a unique identifier has been allocated by the kernel
or netlink user, show context as "unavailable".
This will generally indicate that a process has more than
one netlink socket active.
As the −Z option
but also shows the socket context. The socket context is
taken from the associated inode and is not the actual socket
context held by the kernel. Sockets are typically labeled
with the context of the creating process, however the
context shown will reflect any policy role, type and/or
range transition rules applied, and is therefore a useful
Switch to the specified network
Show socket BPF filters (only
administrators are allowed to get these information).
Display only IP version 4
sockets (alias for -f inet).
Display only IP version 6
sockets (alias for -f inet6).
Display PACKET sockets (alias
for -f link).
Display TCP sockets.
Display UDP sockets.
Display DCCP sockets.
Display RAW sockets.
Display Unix domain sockets
(alias for -f unix).
Display sockets of type FAMILY.
Currently the following families are supported: unix, inet,
inet6, link, netlink.
List of socket tables to dump,
separated by commas. The following identifiers are
understood: all, inet, tcp, udp, raw, unix, packet, netlink,
unix_dgram, unix_stream, unix_seqpacket, packet_raw,
Do not display anything, just
dump raw information about TCP sockets to FILE after
applying filters. If FILE is - stdout is used.
Read filter information from
FILE. Each line of FILE is interpreted like single command
line option. If FILE is - stdin is used.
FILTER := [ state
STATE-FILTER ] [ EXPRESSION ]
Please take a look at the
official documentation (Debian package iproute-doc) for
details regarding filters.
allows to construct arbitrary set of states to match. Its
syntax is sequence of keywords state and exclude followed by
identifier of state.
Available identifiers are:
TCP states: established, syn-sent,
syn-recv, fin-wait-1, fin-wait-2,
time-wait, closed, close-wait,
last-ack, listen and closing.
for all the states
- all the states except for listen and
- all the connected states except for
states, which are maintained as minisockets, i.e.
time-wait and syn-recv
opposite to bucket
Display all TCP sockets.
ss -t -a -Z
Display all TCP sockets with
process SELinux security contexts.
ss -u -a
Display all UDP sockets.
ss -o state established
’( dport = :ssh or sport = :ssh )’
Display all established ssh
ss -x src
Find all local processes
connected to X server.
ss -o state fin-wait-1
’( sport = :http or sport = :https )’ dst
List all the tcp sockets in
state FIN-WAIT-1 for our apache to network 193.233.7/24 and
look at their timers.
RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP
written by Alexey Kuznetsov,
page was written by Michael Prokop <firstname.lastname@example.org> for
the Debian project (but may be used by others).