ss — quick reference
Help and version
| When to use | Command |
|---|---|
| Show built-in usage (synopsis and flags) | ss --help |
| Print iproute2 package version | ss -Vss --version |
Default display and naming
Control which sockets appear and whether names or numbers are shown.
| When to use | Command |
|---|---|
| Show connected sockets (default — omits listening and many idle sockets) | ss |
| Include listening and non-connected sockets | ss -ass --all |
| Show only listening sockets | ss -lss --listening |
| Show TCP sockets in bound-but-inactive state | ss -Bss --bound-inactive |
| Print IP addresses and port numbers (skip DNS/service lookup) | ss -nss --numeric |
| Resolve host and service names where possible | ss -rss --resolve |
| Hide the column header line (script-friendly) | ss -Hss --no-header |
| Omit Recv-Q and Send-Q columns | ss -Qss --no-queues |
| Print each socket on one line | ss -Oss --oneline |
Socket detail columns
Add timer, memory, process, cgroup, or TCP internal metrics to the default table.
| When to use | Command |
|---|---|
| Show timer information (keepalive, timewait, …) | ss -oss --options |
| Show extended fields (inode, cgroup path, sk: cookie) | ss -ess --extended |
| Show per-socket kernel memory counters | ss -mss --memory |
| Show process name and PID owning the socket (often needs root) | ss -pss --processes |
| Show thread name and TID using the socket | ss -Tss --threads |
| Show internal TCP metrics (RTT, cwnd, retrans, …) | ss -iss --info |
| Show internal TIPC socket information | ss --tipcinfo |
| Show Type-of-Service and priority fields | ss --tos |
| Show cgroup path for each socket | ss --cgroup |
| Show BPF-related socket information | ss -bss --bpf |
| List all BPF socket-local storage maps | ss --bpf-maps |
| Dump one BPF map by ID (replace MAP-ID) | ss --bpf-map-id=MAP-ID |
| Show inet-level socket options | ss --inet-sockopt |
Summary and live monitoring
| When to use | Command |
|---|---|
| Print socket count summary instead of a full table | ss -sss --summary |
| Continuously print sockets as they are destroyed (Ctrl+C to stop) | ss -Ess --events |
Security context (SELinux)
| When to use | Command |
|---|---|
| Show task SELinux security context | ss -Zss --context |
| Show both task and socket SELinux contexts | ss -zss --contexts |
Network namespace
| When to use | Command |
|---|---|
List sockets inside another network namespace (name from ip netns list) |
ss -N NETNSss --net=NETNS |
Socket type and address family
Filter by protocol or limit to IPv4/IPv6. Combine flags (for example ss -ltn for listening TCP with numeric ports).
| When to use | Command |
|---|---|
| TCP sockets only | ss -tss --tcp |
| UDP sockets only | ss -uss --udp |
| UNIX domain sockets only | ss -xss --unix |
| RAW sockets only | ss -wss --raw |
| PACKET sockets only | ss -0ss --packet |
| DCCP sockets only | ss -dss --dccp |
| SCTP sockets only | ss -Sss --sctp |
| MPTCP sockets only | ss -Mss --mptcp |
| TIPC sockets only | ss --tipc |
| vsock sockets only | ss --vsock |
| XDP sockets only | ss --xdp |
| IPv4 sockets only | ss -4ss --ipv4 |
| IPv6 sockets only | ss -6ss --ipv6 |
| Limit to a socket address family | ss -f inetss --family=inet6ss -f help (list families) |
| Query one or more socket tables (comma-separated) | ss -A tcpss --query=inet,udp |
Supported --family / -f values: inet, inet6, link, unix, netlink, vsock, tipc, xdp.
Supported -A / --query values include all, inet, tcp, udp, raw, unix, packet, netlink, dccp, sctp, vsock_stream, vsock_dgram, tipc, xdp, and related variants (see ss --help).
Administrative
| When to use | Command |
|---|---|
| Forcibly close matching sockets and print what closed (needs root; disruptive) | sudo ss -K 'sport = :PORT'sudo ss --kill |
| Dump raw TCP diagnostic records to a file | ss -D /path/filess --diag=/path/file |
| Read filter expressions from a file (one per line) | ss -F /path/filterss --filter=/path/filter |
Filter expressions
Place filters after options. Combine state with port or address expressions.
| When to use | Command |
|---|---|
| Match local port (service name or number) | ss 'sport = :ssh'ss 'sport = :22' |
| Match remote port | ss 'dport = :https' |
Match TCP state (with optional timer column via -o) |
ss -o state establishedss state listening |
| Match SSH established flows (local or remote port 22) | ss -o state established '( dport = :ssh or sport = :ssh )' |
| Shorthand state groups from the man page | ss state connectedss state synchronizedss state bucketss state big |
| Match all TCP states except listen and closed | ss state connected |
state values: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listening, closing, plus grouped aliases above.
ss — command syntax
Synopsis from ss --help on Ubuntu 25.04 (iproute2-6.14.0):
ss [ OPTIONS ]
ss [ OPTIONS ] [ FILTER ]ss reads socket data from the kernel via netlink; it does not edit /etc files. Process names (-p) and some cgroup fields may require root. See sudo when your user cannot see other users' sockets.
ss — command examples
Essential List listening TCP ports (numeric)
When you need to know which TCP ports accept connections on this host, combine listening and TCP filters and skip DNS lookups.
Run the command:
ss -ltnSample output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 4096 127.0.0.1:ipp 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 4096 [::]:ssh [::]:*LISTEN rows are services waiting for inbound connections. 0.0.0.0:ssh means SSH listens on all IPv4 interfaces; [::]:ssh is the IPv6 listener.
Essential Socket summary — quick health snapshot
Before scrolling thousands of socket lines, check totals and TCP state counts.
Run the command:
ss -sSample output:
Total: 871
TCP: 43 (estab 18, closed 14, orphaned 0, timewait 14)
Transport Total IP IPv6
RAW 2 0 2
UDP 8 6 2
TCP 29 17 12
INET 39 23 16
FRAG 0 0 0High timewait or orphaned counts can hint at connection churn or application bugs — pair this with ss -o state time-wait for details.
Essential Which process owns a TCP connection?
When a port is in use but you do not know the daemon, add process information.
Run the command:
sudo ss -tpSample output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 10.0.2.15:57516 52.23.84.150:https users:(("node",pid=4323,fd=26))
ESTAB 0 0 10.0.2.15:ssh 10.0.2.2:60513 users:(("sshd-session",pid=10102,fd=4),("sshd-session",pid=10069,fd=4))The Process column lists the command, PID, and file descriptor. Without sudo, many rows show no process name.
Common Filter established SSH sessions
Audit active SSH logins by matching established TCP flows where either side uses port 22 (or the ssh service name).
Run the command:
ss -o state established '( dport = :ssh or sport = :ssh )'Sample output:
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp 0 0 10.0.2.15:ssh 10.0.2.2:60513 timer:(keepalive,68min,0)
tcp 0 0 10.0.2.15:ssh 10.0.2.2:57105 timer:(keepalive,42min,0)Each line is one live SSH TCP connection. The timer:(keepalive,...) field appears because -o adds timer metadata.
Common Resolve peers to hostnames
Readable output for reports — resolve IPs to names where reverse DNS exists.
Run the command:
ss -trSample output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 server1:57516 ec2-52-23-84-150.compute-1.amazonaws.com:https
ESTAB 0 0 server1:ssh _gateway:60513Use -n instead when you need exact addresses for firewall rules or logs.
Common TCP RTT, congestion window, and retransmits
Diagnose slow or lossy TCP paths with internal stack metrics (requires established TCP sockets).
Run the command:
ss -tiSample output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.2.15:57516 52.23.84.150:https
cubic rto:202 rtt:1.996/0.536 ato:40 mss:1460 pmtu:1500 rcvmss:1440 advmss:1460 cwnd:10 bytes_sent:43115 bytes_acked:43116 ...
ESTAB 0 0 10.0.2.15:ssh 10.0.2.2:60513
cubic rto:203 rtt:2.781/1.355 ... send 42Mbps ... minrtt:0.249 ...Watch rtt, retrans, and cwnd on problem connections. The second line under each socket is kernel TCP info, not a separate socket.
Common UNIX domain sockets (daemons and desktop buses)
DBus, PulseAudio, and container sockets often use UNIX domain sockets rather than TCP.
Run the command:
ss -xSample output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 507165 * 507166
u_str ESTAB 0 0 /run/user/119/pulse/native 99119 * 99118
u_str ESTAB 0 0 /run/dbus/system_bus_socket 96502 * 96501Paths under /run usually map to systemd services or session buses.
Advanced Reusable filter file for scripts
Store filter expressions in a file when cron or monitoring runs the same query repeatedly.
Create a filter file and run ss:
echo 'sport = :ssh' > /tmp/ss-filter.txt
ss -F /tmp/ss-filter.txtSample output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 10.0.2.15:ssh 10.0.2.2:60513
tcp ESTAB 0 0 10.0.2.15:ssh 10.0.2.2:57105Remove the temp file when done: rm /tmp/ss-filter.txt.
Advanced Dump raw TCP diagnostics to a file
Save kernel TCP diagnostic records for offline analysis or support tickets.
Run the command:
ss -D /tmp/ss-diag.txt
ls -l /tmp/ss-diag.txtSample output:
-rw-r--r-- 1 root root 2272 Jul 1 14:40 /tmp/ss-diag.txtThe file is binary/raw diag data — not plain text like normal ss output. Delete when finished: rm /tmp/ss-diag.txt.
Advanced Forcibly close sockets matching a filter (root)
-K closes kernel sockets that match the filter. Use only on test listeners or when you intentionally reset stuck connections.
Start a test listener, confirm it, then close it with ss -K:
nc -l 127.0.0.1 19999 &
sleep 0.3
ss -lt 'sport = :19999'
sudo ss -K 'sport = :19999'Sample output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 1 127.0.0.1:19999 0.0.0.0:*
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortAfter -K, the listener socket is gone. Do not run broad ss -K filters on production SSH or database ports.
ss — when to use / when not
| Use ss when | Use something else when |
|---|---|
|
ss vs netstat
| ss (iproute2) | netstat (net-tools) | |
|---|---|---|
| Package | iproute2 |
net-tools (often unmaintained) |
| Speed | Faster on busy hosts | Slower; scans /proc heavily |
| Socket types | TCP, UDP, RAW, UNIX, PACKET, tipc, vsock, XDP, … | Mostly inet and unix |
| TCP info | -i shows RTT, cwnd, retrans |
Limited or absent |
| Filters | state, sport, dport, expression files |
Fewer expressive filters |
| Default on | Current Ubuntu, RHEL, Debian | Legacy scripts and old docs |
See the netstat command cheat sheet for the older tool.
Related commands
Commands often used in the same troubleshooting workflow — sockets, packets, and open files.
| Command | One line |
|---|---|
| ss | Socket statistics (this page) |
| netstat | Legacy socket listing |
| lsof | Open files and sockets by path |
| tcpdump | Capture packets on the wire |
| netstat | Legacy port and socket listing |
Browse the full index on the Linux commands cheat sheet.
ss — interview corner
What is the ss command in Linux?
ss stands for socket statistics. It is part of iproute2 (same family as ip) and asks the kernel for socket information over netlink.
Admins use it to answer: what is listening, what is connected, which PID owns a port, and whether TCP connections look healthy (RTT, retransmits). On current distros it replaced most netstat use cases.
A strong answer is:
"ss is iproute2's socket statistics tool — it lists TCP, UDP, UNIX, and other sockets with filters and optional process, timer, and TCP info columns. I reach for it before netstat on modern Linux."
Why use ss instead of netstat?
Both show sockets, but ss is maintained inside iproute2 and scales better on hosts with thousands of connections. It exposes features netstat never had: TCP internal metrics (-i), cgroup paths (--cgroup), BPF data (-b), and rich filter expressions.
netstat from net-tools is legacy; many distros no longer install it by default.
A strong answer is:
"ss is faster, actively maintained, and supports more socket types and filters. netstat is legacy net-tools — fine on old systems, but ss is the default choice on current Ubuntu and RHEL."
What do Recv-Q and Send-Q mean in ss output?
They are kernel queue depths for that socket:
- Recv-Q — bytes received by the kernel but not yet read by the application
- Send-Q — bytes accepted from the application but not yet acknowledged on the wire (TCP) or not yet sent
A listening socket with non-zero Recv-Q on UDP can mean datagrams waiting. Persistently high Send-Q on TCP often means the peer is slow or the network is congested.
A strong answer is:
"Recv-Q is data waiting in the kernel for the app to read; Send-Q is data the app wrote but TCP has not fully cleared. Sustained high Send-Q on established TCP suggests backpressure."
How do you list only established SSH connections with ss?
Combine a state filter with a port expression and optional timer output:
ss -o state established '( dport = :ssh or sport = :ssh )'Parentheses group the OR condition. Service names like ssh resolve via /etc/services; use :22 for numeric certainty.
A strong answer is:
"I use ss with state established and a filter on port 22 — for example dport or sport equals ssh — and -o if I want keepalive timers in the output."
Why does ss -p sometimes show no process name?
The Process column comes from cgroup and /proc data. Viewing other users' sockets or sockets owned by root usually requires root (sudo ss -p).
Some short-lived or kernel sockets never attach a userspace owner.
A strong answer is:
"Process info needs permission — I run sudo ss -p when I need PIDs for system services or other users' connections. Without root, many rows stay blank."
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
RTNETLINK answers: Invalid argument mixed with output |
Some socket tables unavailable in this network namespace or kernel config | Ignore if the rows you need still appear; narrow with -t, -u, or -x |
Empty Process column with -p |
Insufficient privilege | Run sudo ss -p |
ss: "t" is illegal socket table id |
Typo combining -A with type flags |
Use ss -A tcp or ss -t, not ss -At |
ss -K closes production traffic |
Broad kill filter | Match a narrow filter (sport = :PORT on a test listener only) |
No netstat but ss missing |
iproute2 not installed | sudo apt install iproute2 on Debian/Ubuntu |
| Filter matches nothing | Wrong state name or service alias | Try numeric ports (:22); run ss -a first to see actual states |
References
- netstat command cheat sheet — legacy comparison
- Linux commands cheat sheet — broader command index
- ss(8) man page (Ubuntu noble — Plucky manpages not yet published for this page)
