ss Command in Linux: Display Socket Statistics
ss is a command-line utility for displaying socket statistics on Linux. It is the modern replacement for the deprecated netstat command and is faster, more detailed, and available by default on all current Linux distributions.
This guide explains how to use ss to list open sockets, filter results by protocol and port, and identify which process is using a given connection.
ss Syntax
ss [OPTIONS] [FILTER]When invoked without options, ss displays all non-listening sockets that have an established connection.
List All Sockets
To list all sockets regardless of state, use the -a option:
ss -aThe output includes columns for the socket type (Netid), state, receive and send queue sizes, local address and port, and peer address and port:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.10:ssh 192.168.1.5:52710
tcp LISTEN 0 128 0.0.0.0:http 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:*Filter by Socket Type
TCP Sockets (-t)
To list only TCP sockets:
ss -tTo include listening TCP sockets as well, combine with -a:
ss -taUDP Sockets (-u)
To list only UDP sockets:
ss -uaUnix Domain Sockets (-x)
To list Unix domain sockets used for inter-process communication:
ss -xaShow Listening Sockets
The -l option shows only sockets that are in the listening state:
ss -tlThe most commonly used combination is -tulpn, which shows all TCP and UDP listening sockets with process names and numeric addresses:
ss -tulpnNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=5678,fd=6))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=910,fd=6))Each option in the combination does the following:
-t— show TCP sockets-u— show UDP sockets-l— show listening sockets only-p— show the process name and PID-n— show numeric addresses and ports instead of resolving hostnames and service names
Show Process Information
The -p option adds the process name and PID to the output. This requires root privileges to see processes owned by other users:
sudo ss -tpState Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 192.168.1.10:ssh 192.168.1.5:52710 users:(("sshd",pid=2341,fd=5))Use Numeric Output
By default, ss resolves port numbers to service names (for example, port 22 becomes ssh). The -n option disables this and shows raw port numbers:
ss -tnThis is useful when you need to match exact port numbers in scripts or when name resolution is slow.
Filter by Port
To find which process is using a specific port, filter by destination or source port. For example, to list all sockets using port 80:
ss -tulpn | grep :80You can also use the built-in filter syntax:
ss -tnp 'dport = :443'To filter by source port:
ss -tnp 'sport = :22'Filter by Connection State
ss supports filtering by connection state. Common states include ESTABLISHED, LISTEN, TIME-WAIT, and CLOSE-WAIT.
To show only established TCP connections:
ss -tn state ESTABLISHEDTo show only sockets in the TIME-WAIT state:
ss -tn state TIME-WAITFilter by Address
To show sockets connected to or from a specific IP address:
ss -tn dst 192.168.1.5To filter by source address:
ss -tn src 192.168.1.10You can combine address and port filters:
ss -tnp dst 192.168.1.5 dport = :22Show IPv4 or IPv6 Only
To restrict output to IPv4 sockets, use -4:
ss -tln -4To show only IPv6 sockets, use -6:
ss -tln -6Show Summary Statistics
The -s option prints a summary of socket counts by type and state without listing individual sockets:
ss -sTotal: 312
TCP: 14 (estab 4, closed 3, orphaned 0, timewait 3)
Transport Total IP IPv6
RAW 1 0 1
UDP 6 4 2
TCP 11 7 4
INET 18 11 7
FRAG 0 0 0This is useful for a quick overview of the network state on a busy server.
Practical Examples
The following examples cover common diagnostics you will use together with tools like ip
, ifconfig
, and check listening ports
.
Find which process is listening on port 8080:
sudo ss -tlpn sport = :8080List all established SSH connections to your server:
ss -tn state ESTABLISHED '( dport = :22 or sport = :22 )'Show all connections to a remote host:
ss -tn dst 203.0.113.10Count established TCP connections:
ss -tn state ESTABLISHED | tail -n +2 | wc -lQuick Reference
| Command | Description |
|---|---|
ss -a | List all sockets |
ss -t | List TCP sockets |
ss -u | List UDP sockets |
ss -x | List Unix domain sockets |
ss -l | Show listening sockets only |
ss -tulpn | Listening TCP/UDP with process and numeric output |
ss -tp | TCP sockets with process names |
ss -tn | TCP sockets with numeric addresses |
ss -s | Show socket summary statistics |
ss -tn state ESTABLISHED | Show established TCP connections |
ss -tnp dport = :80 | Filter by destination port |
ss -tn dst 192.168.1.5 | Filter by remote address |
ss -4 | IPv4 sockets only |
ss -6 | IPv6 sockets only |
Troubleshooting
ss -p does not show process names
Process information for sockets owned by other users requires elevated privileges. Use sudo ss -tp or sudo ss -tulpn.
Filters return no results
Use quoted filter expressions such as ss -tn 'dport = :443', and verify whether you should filter by sport or dport.
Service names hide numeric ports
If output shows service names (ssh, http) instead of port numbers, add -n to keep numeric ports and avoid lookup ambiguity.
Output is too broad on busy servers
Start with protocol and state filters (-t, -u, state ESTABLISHED) and then add address or port filters to narrow results.
You need command-level context, not only sockets
Use ss with ps
or pgrep
when you need additional process detail.
FAQ
What is the difference between ss and netstat?ss is the modern replacement for netstat. It reads directly from kernel socket structures, making it significantly faster on systems with many connections. netstat is part of the net-tools package, which is deprecated and not installed by default on most current distributions.
Why do I need sudo with ss -p?
Without root privileges, ss can only show process information for sockets owned by your own user. To see process names and PIDs for all sockets, run ss with sudo.
What does Recv-Q and Send-Q mean in the output?Recv-Q is the number of bytes received but not yet read by the application. Send-Q is the number of bytes sent but not yet acknowledged by the remote host. Non-zero values on a listening socket or consistently high values can indicate a performance issue.
How do I find which process is using a specific port?
Run sudo ss -tulpn | grep :<port>. The -p flag adds process information and -n keeps port numbers numeric so the grep match is reliable.
Conclusion
ss is the standard tool for inspecting socket connections on modern Linux systems. The -tulpn combination covers most day-to-day needs, while the state and address filters make it easy to narrow results on busy servers. For related network diagnostics, see the ip
and ifconfig
command guides, or check listening ports
for a broader overview.
Tags
Linuxize Weekly Newsletter
A quick weekly roundup of new tutorials, news, and tips.
About the authors
Dejan Panovski
Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.
View author page