ss Command in Linux: Syntax, Options & Socket Filtering (Ubuntu)

ss (socket statistics) from iproute2 lists TCP, UDP, UNIX, and other sockets on Linux — states, queues, processes, and filters — faster and richer than legacy netstat.

Published

Updated

Read time 12 min read

Reviewed byDeepak Prasad

ss Command in Linux: Syntax, Options & Socket Filtering (Ubuntu)
About ss (socket statistics) from iproute2 lists TCP, UDP, UNIX, and other sockets on Linux — states, queues, processes, and filters — faster and richer than legacy netstat.
Tested on Ubuntu 25.04 (Plucky Puffin); iproute2-6.14.0; kernel 7.0.0-27-generic
Package iproute2 (apt/deb) · iproute (dnf/rpm)
Man page ss(8)
Privilege none (some filters need root for process names)
Distros

Linux systems with iproute2 (most distros).

Legacy alternative: netstat (often from net-tools; slower, fewer socket types).

Related guide

ss — quick reference

Help and version

When to use Command
Show built-in usage (synopsis and flags) ss --help
Print iproute2 package version ss -V
ss --version

Default display and naming

Control which sockets appear and whether names or numbers are shown.

When to use Command
Show connected sockets (default — omits listening and many idle sockets) ss
Include listening and non-connected sockets ss -a
ss --all
Show only listening sockets ss -l
ss --listening
Show TCP sockets in bound-but-inactive state ss -B
ss --bound-inactive
Print IP addresses and port numbers (skip DNS/service lookup) ss -n
ss --numeric
Resolve host and service names where possible ss -r
ss --resolve
Hide the column header line (script-friendly) ss -H
ss --no-header
Omit Recv-Q and Send-Q columns ss -Q
ss --no-queues
Print each socket on one line ss -O
ss --oneline

Socket detail columns

Add timer, memory, process, cgroup, or TCP internal metrics to the default table.

When to use Command
Show timer information (keepalive, timewait, …) ss -o
ss --options
Show extended fields (inode, cgroup path, sk: cookie) ss -e
ss --extended
Show per-socket kernel memory counters ss -m
ss --memory
Show process name and PID owning the socket (often needs root) ss -p
ss --processes
Show thread name and TID using the socket ss -T
ss --threads
Show internal TCP metrics (RTT, cwnd, retrans, …) ss -i
ss --info
Show internal TIPC socket information ss --tipcinfo
Show Type-of-Service and priority fields ss --tos
Show cgroup path for each socket ss --cgroup
Show BPF-related socket information ss -b
ss --bpf
List all BPF socket-local storage maps ss --bpf-maps
Dump one BPF map by ID (replace MAP-ID) ss --bpf-map-id=MAP-ID
Show inet-level socket options ss --inet-sockopt

Summary and live monitoring

When to use Command
Print socket count summary instead of a full table ss -s
ss --summary
Continuously print sockets as they are destroyed (Ctrl+C to stop) ss -E
ss --events

Security context (SELinux)

When to use Command
Show task SELinux security context ss -Z
ss --context
Show both task and socket SELinux contexts ss -z
ss --contexts

Network namespace

When to use Command
List sockets inside another network namespace (name from ip netns list) ss -N NETNS
ss --net=NETNS

Socket type and address family

Filter by protocol or limit to IPv4/IPv6. Combine flags (for example ss -ltn for listening TCP with numeric ports).

When to use Command
TCP sockets only ss -t
ss --tcp
UDP sockets only ss -u
ss --udp
UNIX domain sockets only ss -x
ss --unix
RAW sockets only ss -w
ss --raw
PACKET sockets only ss -0
ss --packet
DCCP sockets only ss -d
ss --dccp
SCTP sockets only ss -S
ss --sctp
MPTCP sockets only ss -M
ss --mptcp
TIPC sockets only ss --tipc
vsock sockets only ss --vsock
XDP sockets only ss --xdp
IPv4 sockets only ss -4
ss --ipv4
IPv6 sockets only ss -6
ss --ipv6
Limit to a socket address family ss -f inet
ss --family=inet6
ss -f help (list families)
Query one or more socket tables (comma-separated) ss -A tcp
ss --query=inet,udp

Supported --family / -f values: inet, inet6, link, unix, netlink, vsock, tipc, xdp.

Supported -A / --query values include all, inet, tcp, udp, raw, unix, packet, netlink, dccp, sctp, vsock_stream, vsock_dgram, tipc, xdp, and related variants (see ss --help).

Administrative

When to use Command
Forcibly close matching sockets and print what closed (needs root; disruptive) sudo ss -K 'sport = :PORT'
sudo ss --kill
Dump raw TCP diagnostic records to a file ss -D /path/file
ss --diag=/path/file
Read filter expressions from a file (one per line) ss -F /path/filter
ss --filter=/path/filter

Filter expressions

Place filters after options. Combine state with port or address expressions.

When to use Command
Match local port (service name or number) ss 'sport = :ssh'
ss 'sport = :22'
Match remote port ss 'dport = :https'
Match TCP state (with optional timer column via -o) ss -o state established
ss state listening
Match SSH established flows (local or remote port 22) ss -o state established '( dport = :ssh or sport = :ssh )'
Shorthand state groups from the man page ss state connected
ss state synchronized
ss state bucket
ss state big
Match all TCP states except listen and closed ss state connected

state values: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listening, closing, plus grouped aliases above.


ss — command syntax

Synopsis from ss --help on Ubuntu 25.04 (iproute2-6.14.0):

text
ss [ OPTIONS ]
ss [ OPTIONS ] [ FILTER ]

ss reads socket data from the kernel via netlink; it does not edit /etc files. Process names (-p) and some cgroup fields may require root. See sudo when your user cannot see other users' sockets.


ss — command examples

Essential List listening TCP ports (numeric)

When you need to know which TCP ports accept connections on this host, combine listening and TCP filters and skip DNS lookups.

Run the command:

bash
ss -ltn

Sample output:

text
State  Recv-Q Send-Q Local Address:Port   Peer Address:Port
LISTEN 0      4096       127.0.0.1:ipp         0.0.0.0:*
LISTEN 0      4096   127.0.0.53%lo:domain      0.0.0.0:*
LISTEN 0      4096         0.0.0.0:ssh         0.0.0.0:*
LISTEN 0      4096            [::]:ssh            [::]:*

LISTEN rows are services waiting for inbound connections. 0.0.0.0:ssh means SSH listens on all IPv4 interfaces; [::]:ssh is the IPv6 listener.

Essential Socket summary — quick health snapshot

Before scrolling thousands of socket lines, check totals and TCP state counts.

Run the command:

bash
ss -s

Sample output:

text
Total: 871
TCP:   43 (estab 18, closed 14, orphaned 0, timewait 14)

Transport Total     IP        IPv6
RAW	  2         0         2
UDP	  8         6         2
TCP	  29        17        12
INET	  39        23        16
FRAG	  0         0         0

High timewait or orphaned counts can hint at connection churn or application bugs — pair this with ss -o state time-wait for details.

Essential Which process owns a TCP connection?

When a port is in use but you do not know the daemon, add process information.

Run the command:

bash
sudo ss -tp

Sample output:

text
State Recv-Q Send-Q      Local Address:Port       Peer Address:Port Process
ESTAB 0      0               10.0.2.15:57516      52.23.84.150:https users:(("node",pid=4323,fd=26))
ESTAB 0      0               10.0.2.15:ssh            10.0.2.2:60513 users:(("sshd-session",pid=10102,fd=4),("sshd-session",pid=10069,fd=4))

The Process column lists the command, PID, and file descriptor. Without sudo, many rows show no process name.

Common Filter established SSH sessions

Audit active SSH logins by matching established TCP flows where either side uses port 22 (or the ssh service name).

Run the command:

bash
ss -o state established '( dport = :ssh or sport = :ssh )'

Sample output:

text
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp   0      0          10.0.2.15:ssh      10.0.2.2:60513 timer:(keepalive,68min,0)
tcp   0      0          10.0.2.15:ssh      10.0.2.2:57105 timer:(keepalive,42min,0)

Each line is one live SSH TCP connection. The timer:(keepalive,...) field appears because -o adds timer metadata.

Common Resolve peers to hostnames

Readable output for reports — resolve IPs to names where reverse DNS exists.

Run the command:

bash
ss -tr

Sample output:

text
State Recv-Q Send-Q Local Address:Port                               Peer Address:Port
ESTAB 0      0            server1:57516  ec2-52-23-84-150.compute-1.amazonaws.com:https
ESTAB 0      0            server1:ssh                                    _gateway:60513

Use -n instead when you need exact addresses for firewall rules or logs.

Common TCP RTT, congestion window, and retransmits

Diagnose slow or lossy TCP paths with internal stack metrics (requires established TCP sockets).

Run the command:

bash
ss -ti

Sample output:

text
State Recv-Q Send-Q      Local Address:Port       Peer Address:Port
ESTAB 0      0               10.0.2.15:57516      52.23.84.150:https
	 cubic rto:202 rtt:1.996/0.536 ato:40 mss:1460 pmtu:1500 rcvmss:1440 advmss:1460 cwnd:10 bytes_sent:43115 bytes_acked:43116 ...
ESTAB 0      0               10.0.2.15:ssh            10.0.2.2:60513
	 cubic rto:203 rtt:2.781/1.355 ... send 42Mbps ... minrtt:0.249 ...

Watch rtt, retrans, and cwnd on problem connections. The second line under each socket is kernel TCP info, not a separate socket.

Common UNIX domain sockets (daemons and desktop buses)

DBus, PulseAudio, and container sockets often use UNIX domain sockets rather than TCP.

Run the command:

bash
ss -x

Sample output:

text
Netid State Recv-Q Send-Q                                          Local Address:Port   Peer Address:Port
u_str ESTAB 0      0                                                           * 507165            * 507166
u_str ESTAB 0      0                                  /run/user/119/pulse/native 99119             * 99118
u_str ESTAB 0      0                              /run/dbus/system_bus_socket 96502             * 96501

Paths under /run usually map to systemd services or session buses.

Advanced Reusable filter file for scripts

Store filter expressions in a file when cron or monitoring runs the same query repeatedly.

Create a filter file and run ss:

bash
echo 'sport = :ssh' > /tmp/ss-filter.txt
ss -F /tmp/ss-filter.txt

Sample output:

text
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp   ESTAB 0      0          10.0.2.15:ssh      10.0.2.2:60513
tcp   ESTAB 0      0          10.0.2.15:ssh      10.0.2.2:57105

Remove the temp file when done: rm /tmp/ss-filter.txt.

Advanced Dump raw TCP diagnostics to a file

Save kernel TCP diagnostic records for offline analysis or support tickets.

Run the command:

bash
ss -D /tmp/ss-diag.txt
ls -l /tmp/ss-diag.txt

Sample output:

text
-rw-r--r-- 1 root root 2272 Jul  1 14:40 /tmp/ss-diag.txt

The file is binary/raw diag data — not plain text like normal ss output. Delete when finished: rm /tmp/ss-diag.txt.

Advanced Forcibly close sockets matching a filter (root)

-K closes kernel sockets that match the filter. Use only on test listeners or when you intentionally reset stuck connections.

Start a test listener, confirm it, then close it with ss -K:

bash
nc -l 127.0.0.1 19999 &
sleep 0.3
ss -lt 'sport = :19999'
sudo ss -K 'sport = :19999'

Sample output:

text
State  Recv-Q Send-Q Local Address:Port  Peer Address:Port
LISTEN 0      1          127.0.0.1:19999      0.0.0.0:*
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

After -K, the listener socket is gone. Do not run broad ss -K filters on production SSH or database ports.


ss — when to use / when not

Use ss when Use something else when
  • You need fast socket listings on a modern Linux host with iproute2
  • You want TCP internal metrics, cgroup paths, or BPF socket data
  • You filter by state, port, or address with expressive filter syntax
  • You troubleshoot listening ports, established flows, or UNIX sockets
  • The host only has legacy net-tools and no iproute2 → netstat
  • You need per-connection bytes over time or packet contents → tcpdump or ip -s link
  • You must see which file descriptor maps to a path → lsof
  • You audit open files across many types, not only sockets → lsof

ss vs netstat

ss (iproute2) netstat (net-tools)
Package iproute2 net-tools (often unmaintained)
Speed Faster on busy hosts Slower; scans /proc heavily
Socket types TCP, UDP, RAW, UNIX, PACKET, tipc, vsock, XDP, … Mostly inet and unix
TCP info -i shows RTT, cwnd, retrans Limited or absent
Filters state, sport, dport, expression files Fewer expressive filters
Default on Current Ubuntu, RHEL, Debian Legacy scripts and old docs

See the netstat command cheat sheet for the older tool.


Commands often used in the same troubleshooting workflow — sockets, packets, and open files.

Command One line
ss Socket statistics (this page)
netstat Legacy socket listing
lsof Open files and sockets by path
tcpdump Capture packets on the wire
netstat Legacy port and socket listing

Browse the full index on the Linux commands cheat sheet.


ss — interview corner

What is the ss command in Linux?

ss stands for socket statistics. It is part of iproute2 (same family as ip) and asks the kernel for socket information over netlink.

Admins use it to answer: what is listening, what is connected, which PID owns a port, and whether TCP connections look healthy (RTT, retransmits). On current distros it replaced most netstat use cases.

A strong answer is:

"ss is iproute2's socket statistics tool — it lists TCP, UDP, UNIX, and other sockets with filters and optional process, timer, and TCP info columns. I reach for it before netstat on modern Linux."

Why use ss instead of netstat?

Both show sockets, but ss is maintained inside iproute2 and scales better on hosts with thousands of connections. It exposes features netstat never had: TCP internal metrics (-i), cgroup paths (--cgroup), BPF data (-b), and rich filter expressions.

netstat from net-tools is legacy; many distros no longer install it by default.

A strong answer is:

"ss is faster, actively maintained, and supports more socket types and filters. netstat is legacy net-tools — fine on old systems, but ss is the default choice on current Ubuntu and RHEL."

What do Recv-Q and Send-Q mean in ss output?

They are kernel queue depths for that socket:

  • Recv-Q — bytes received by the kernel but not yet read by the application
  • Send-Q — bytes accepted from the application but not yet acknowledged on the wire (TCP) or not yet sent

A listening socket with non-zero Recv-Q on UDP can mean datagrams waiting. Persistently high Send-Q on TCP often means the peer is slow or the network is congested.

A strong answer is:

"Recv-Q is data waiting in the kernel for the app to read; Send-Q is data the app wrote but TCP has not fully cleared. Sustained high Send-Q on established TCP suggests backpressure."

How do you list only established SSH connections with ss?

Combine a state filter with a port expression and optional timer output:

bash
ss -o state established '( dport = :ssh or sport = :ssh )'

Parentheses group the OR condition. Service names like ssh resolve via /etc/services; use :22 for numeric certainty.

A strong answer is:

"I use ss with state established and a filter on port 22 — for example dport or sport equals ssh — and -o if I want keepalive timers in the output."

Why does ss -p sometimes show no process name?

The Process column comes from cgroup and /proc data. Viewing other users' sockets or sockets owned by root usually requires root (sudo ss -p).

Some short-lived or kernel sockets never attach a userspace owner.

A strong answer is:

"Process info needs permission — I run sudo ss -p when I need PIDs for system services or other users' connections. Without root, many rows stay blank."


Troubleshooting

Symptom Likely cause Fix
RTNETLINK answers: Invalid argument mixed with output Some socket tables unavailable in this network namespace or kernel config Ignore if the rows you need still appear; narrow with -t, -u, or -x
Empty Process column with -p Insufficient privilege Run sudo ss -p
ss: "t" is illegal socket table id Typo combining -A with type flags Use ss -A tcp or ss -t, not ss -At
ss -K closes production traffic Broad kill filter Match a narrow filter (sport = :PORT on a test listener only)
No netstat but ss missing iproute2 not installed sudo apt install iproute2 on Debian/Ubuntu
Filter matches nothing Wrong state name or service alias Try numeric ports (:22); run ss -a first to see actual states

References

Rohan Timalsina

is a technical writer and Linux enthusiast who writes practical guides on Linux commands and system administration. He focuses on simplifying complex topics through clear explanations.