ss (Socket Statistics)

Socket statistics — listening ports, established connections, and state filtering.

Listening Sockets

Show all listening TCP sockets with process names — the first command you run on any host

ss -tlnp

Show all listening UDP sockets with process names — catches DHCP, DNS, SNMP, syslog

ss -ulnp

Show both TCP and UDP listeners — complete picture of what is exposed

ss -tulnp

Show listeners on a specific port — is anything actually bound to port 443?

ss -tlnp sport = :443

Established Connections

Show all established TCP connections — active sessions with remote endpoints

ss -tnp state established

Show established connections to a specific remote host — who is talking to ISE?

ss -tnp state established dst 10.50.1.20

Show established connections from a specific source port — track RADIUS responses

ss -tnp state established sport = :1812

Count established connections per remote IP — find which host has the most sessions

ss -tn state established | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -rn

Filtering by Port and Address

Filter by destination port — show all connections to port 22

ss -tn dport = :22

Filter by source port — show connections originating from high ports

ss -tn sport gt :1024

Filter by port range — show connections to common web ports

ss -tn '( dport = :80 or dport = :443 )'

Filter by subnet — show connections to/from the management VLAN

ss -tn dst 10.50.1.0/24

Combine filters — established connections to RADIUS port from a specific subnet

ss -tn state established '( dport = :1812 and src 10.50.10.0/24 )'

Socket State Analysis

Show socket summary — total counts by state and protocol, quick system health check

ss -s

Show sockets in TIME-WAIT — high counts indicate connection churn or missing keepalive

ss -tn state time-wait

Show sockets in CLOSE-WAIT — application not closing connections, likely a bug

ss -tn state close-wait

Show SYN-RECV sockets — half-open connections, high counts may indicate SYN flood

ss -tn state syn-recv

Show all non-listening sockets with their state — full connection lifecycle view

ss -tna

Unix and Raw Sockets

Show Unix domain sockets with process info — inter-process communication channels

ss -xlnp

Show Unix sockets filtered by path — find what is connected to a specific socket file

ss -x src /run/dbus/system_bus_socket

Memory and Timer Information

Show socket memory usage — recv/send buffer sizes, helps diagnose buffer exhaustion

ss -tm

Show timer information — retransmit timers, keepalive intervals, probe status

ss -to

Show extended socket info — includes congestion control algorithm, RTT, bytes in flight

ss -ti

ss vs netstat

Why ss replaced netstat — ss reads /proc/net directly, netstat parses it through libc

# netstat is deprecated in net-tools, removed from many minimal installs
# ss equivalent mappings:
#   netstat -tlnp  →  ss -tlnp
#   netstat -an    →  ss -an
#   netstat -s     →  ss -s
#   netstat -r     →  ip route (not ss)
#   netstat -i     →  ip -s link (not ss)