The ss command is used to dump socket statistics on Linux systems. It serves as a replacement for the netstat command and is often used for troubleshooting network problems.
To make the best use of the ss command, it’s important to understand what a socket is. A socket is a type of pseudo file (i.e., not an actual file) that represents a network connection. A socket identifies both the remote host and the port that it connects to so that data can be sent between the systems. Sockets are similar to pipes except that pipes only facilitate connections between processes on the same system where sockets work on the same or different systems. Unlike pipes, sockets also provide bidirectional communication. Sma Socket
Once a socket is created, communications between the local and a remote host will take the form of network packets.
With no arguments, ss will list all established (open non-listening) network connections regardless of their status. Here’s an example showing just the first few lines of the command’s output along with a single line including IP addresses:
The fields as shown in the ss command output above include:
The * characters in the above output indicate that the sockets are listening for traffic on all addresses. I included the last line to show a connection between two specific systems – this system and an ssh connection to a local host.
You can expect to see hundreds of lines of output when you use the ss command. To count the socket connections that are established on your system (adding one line for the heading), you can use a command like this:
The command below, which uses awk to look only at the second field in each line of ss output, shows that one socket is unconnected while 620 are established connections. This command is sorting on the content of the “State” field. The second row in the output shown below shows that column heading.
Using the ss -a (show all sockets) command will make the ss output display both listening and non-listening sockets. For TCP, “non-listening” means established connections while “listening” means waiting for a connection. The commands below show the difference in the amount of output.
For example, the ss -a output is likely to start with output like this:
To get a summary socket report, use the -s option as shown in the command below.
The script below will sort and summarize the content of any field in the ss command output.
If you add -a as an argument (or, in fact, any single argument), the script will summarize the output of the ss -a command rather than the ss command with no options. Select any field by number to select that column.
For example, to view how many times each Netid value appears, you can run the script like this:
Use the ss -h command to get a list of the command’s many options with brief descriptions.
Note that with the –S option, ss will show SCTP sockets only. With the -a option, ss will display both listening and non-listening sockets of every kind. With the -l parameter, ss will display listening sockets (omitted by default). With the -e option, ss will display detailed socket information. These are only a handful of the options available. Check the list above or use the ss -h command to view available options on your Linux host.
The ss command can provide important details on sockets – likely more than some of us imagined were available. Getting used to the command and its wide array of options may take a while, but this level of detail can be essential to understanding how your Linux systems are communicating with each other and with external systems.
Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.
4.5mm Pitch The opinions expressed in this blog are those of Sandra Henry-Stocker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.