Cheatsheet & Examples: ss
The ss command is a powerful tool for inspecting network sockets. It provides detailed information about TCP, UDP, and other network connections, similar to netstat, but often with improved performance and more advanced filtering capabilities.
Listing All Established TCP Connections
Example Usage:
ss -t state established
What it does: Lists all established TCP connections on the system.
Command-line Arguments Explained:
-t: Specifies that you want to see TCP sockets.state established: Filters the output to show only connections that are in the established state.
Listing All Listening Sockets
Example Usage:
ss -l
What it does: Lists all listening sockets (sockets that are waiting for incoming connections).
Command-line Arguments Explained:
-l: Displays listening sockets.
Listing All UDP Sockets
Example Usage:
ss -u
What it does: Lists all UDP sockets.
Command-line Arguments Explained:
-u: Specifies that you want to see UDP sockets.
Displaying Numeric Addresses and Ports
Example Usage:
ss -n
What it does: Displays numeric addresses and ports, avoiding hostname and service name resolution.
Command-line Arguments Explained:
-n: Shows numerical addresses and ports. This bypasses DNS lookups and /etc/services lookups, making the output faster and often clearer.
Displaying Process Information
Example Usage:
ss -p
What it does: Displays process information associated with each socket, including the PID and process name.
Command-line Arguments Explained:
-p: Shows process information. This includes the process ID (PID) and the process name associated with each socket.
Showing Detailed Socket Information
Example Usage:
ss -i
What it does: Displays internal TCP information, such as congestion window size, send and receive buffers, etc.
Command-line Arguments Explained:
-i: Shows internal TCP information. This provides detailed statistics about the TCP connection.
Filtering by Port
Example Usage:
ss -t -a 'sport = :80'
What it does: Lists TCP sockets, showing all states (-a), and filters the output to only include sockets with a source port of 80.
Command-line Arguments Explained:
-t: Specifies TCP sockets.-a: Shows all sockets (listening and connected).'sport = :80': Uses an extended filter.sportrefers to the source port.:80represents port 80 (HTTP). This filters the output to show connections originating from port 80. (Note: the single quotes are important for the shell to interpret this correctly.)
Filtering by Local Address and Port
Example Usage:
ss -t -l 'sport = :22 and dport = :1024-65535'
What it does: Lists listening TCP sockets on port 22 (SSH) and filters to include connections originating from ports in the dynamic/private range (1024-65535).
Command-line Arguments Explained:
-t: Specifies TCP sockets.-l: Lists listening sockets.'sport = :22': Filters based on source port (SSH, port 22).and: Combines filter conditions.dport = :1024-65535: Filters based on destination port being within the dynamic port range.
Showing Summary Statistics
Example Usage:
ss -s
What it does: Provides a summary of socket statistics, including the number of established, listening, and other types of sockets.
Command-line Arguments Explained:
-s: Displays summary statistics.
Showing Timers
Example Usage:
ss -t -o state closing
What it does: Shows TCP sockets in the closing state, along with timer information.
Command-line Arguments Explained:
-t: Specifies TCP sockets.-o: Displays socket timers.state closing: Filters output by sockets in the closing state.
Filtering by Interface
Example Usage:
ss -n -i | grep wlan0
What it does: Lists all network sockets with numeric output. The results are then piped to grep to find entries that belong to the interface wlan0.
Command-line Arguments Explained:
-n: Shows numerical addresses and ports.-i: Shows internal TCP information.| grep wlan0: Pipes the output to the grep command to filter based on a matching interface name.
