1. Overview
In this tutorial, we’ll look at how to examine the connections on a host, how to view the connection information, and commands to examine the connections’ state. We’ll also show ways to filter the command output to view connection statistics readily. We’ll look at how to get a summary of the hosts’ connections and the current connection count.
The commands in this article have been tested on SUSE 15 and Debian 11.6, using GNU Bash version 4.4.23. All code snippets should work in most Linux environments.
2. The ss Command
A socket is a mechanism to enable communication to and from a host. Linux provides the ss command, short for “socket statistics”, to dump information about socket states. When run without any parameters, a list of all the non-listening sockets that have established a connection is displayed:
$ ss
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
u_str ESTAB 0 0 /run/systemd/journal/stdout 9775 * 9774
u_str ESTAB 0 0 /run/systemd/journal/stdout 10874 * 10873
u_str ESTAB 0 0 * 20988 * 20989
u_str ESTAB 0 0 * 10876 * 10900
u_str ESTAB 0 0 /run/systemd/journal/stdout 10924 * 10923
...
u_str ESTAB 0 0 * 11117 * 11118
u_str ESTAB 0 0 /run/dbus/system_bus_socket 20989 * 20988
tcp ESTAB 0 0 172.31.5.16:ssh 86.41.94.97:50592
We see in the State column that this system has sockets that are ESTAB, meaning established, while the Local Address:Port and Peer Address:Port columns show us the IP address and port information.
3. Filtering ss Output
Another possible TCP state is listening. By default, listening sockets are omitted from the ss command output. We can pass the state keyword as an argument to filter on the socket state, followed by the state we want to query. Here, we’re retrieving sockets that are in a listening state:
$ ss state listening
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port Process
u_str 0 4096 /run/user/1000/systemd/private 20986 * 0
u_str 0 4096 /run/dbus/system_bus_socket 10835 * 0
u_str 0 4096 /run/uuidd/request 10837 * 0
u_str 0 4096 /run/systemd/private 9525 * 0
u_str 0 4096 /run/systemd/userdb/io.systemd.DynamicUser 9527 * 0
...
u_str 0 4096 /run/systemd/journal/io.systemd.journal 9588 * 0
tcp 0 128 0.0.0.0:ssh 0.0.0.0:*
tcp 0 128 [::]:ssh [::]:*
Now, we see our output no longer has a State column because we included a state filter. As a shortcut to filter for sockets in a listening state, ss provides the -l argument. We could retrieve the same information as our previous command: ss -l.
4. Filtering on Protocol
When a connection is shown as established, it uses a protocol that ensures a reliable connection, such as TCP. ESTAB refers to one of the protocol standard states.
We can further filter down our results by protocol. By default, all protocols are included in the output. We can limit this to one type by passing the option for that protocol. The well-known protocols TCP and UDP have shortcuts -t and -u, respectively.
Here, we’re filtering on TCP connections that are in a listening state by passing the arguments –t and -l:
$ ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 128 [::]:ssh [::]:*
LISTEN 0 511 *:http *:*
If we want to retrieve TCP socket information in all states, we can use -t followed by -a to display both listening and non-listening:
$ ss -t -a
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
ESTAB 0 52 172.31.5.16:ssh 86.40.31.143:58980
LISTEN 0 511 *:http *:*
LISTEN 0 128 [::]:ssh [::]:*
These arguments provide a quick way to filter our socket list on protocol and state.
5. Summary of Connections
The number of sockets open on a host can directly impact the host’s performance. Each connection takes memory and CPU to track and manage them. While it’s theoretically possible to have many sockets open, the underlying host would need the resources to manage these effectively. On Linux hosts, we can query that limit in the file /proc/sys/fs/file-max. The file requires sudo access:
$ sudo cat /proc/sys/fs/file-max
9223372036854775807
So, if we are concerned with just the number of open sockets and their state, ss has a shortcut parameter, -s. To get a summary of the socket statistics, we can provide the argument -s:
$ ss -s
Total: 84
TCP: 5 (estab 1, closed 1, orphaned 0, timewait 0)
Transport Total IP IPv6
RAW 0 0 0
UDP 4 2 2
TCP 4 2 2
INET 8 4 4
FRAG 0 0 0
Of course, we can pipe these results to text search commands. This could be useful in scripts. Here, we’re using grep combined with cut to view the total socket count alone:
$ ss -s | grep -m1 -i total | cut -f2 -d " "
84
This time, let’s combine ss with awk to find the total:
$ ss -s | awk '/Total/ {print $2;exit;}'
84
This is a fast way to retrieve a socket count and the socket protocol.
6. Retrieving Extended Information
If we want to get the process name associated with the socket, we can use the -e parameter to include extended information in our output.
Let’s look at an example from a web server host. We’ll combine the extended parameter with restricting the output to TCP-based sockets in a listening state. Our shortcut combination is -etl:
$ ss -etl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* ino:11052 sk:1f cgroup:/system.slice/ssh.service <->
LISTEN 0 511 *:http *:* ino:11953 sk:5d cgroup:/system.slice/apache2.service v6only:0 <->
LISTEN 0 128 [::]:ssh [::]:* ino:11064 sk:21 cgroup:/system.slice/ssh.service v6only:1 <->
The Process column shows the SSH and HTTP sockets, followed by the process details for the Apache2 web service. The format of this column is ino identifying the inode in the virtual filesystem, sk represents the universally unique id of the socket, and uid the user the socket belongs to.
7. Retrieving the Hostname
The ss command can attempt to resolve IP addresses and port combinations to hostnames using -r.
Here, we’re querying for sockets in all states using the TCP protocol. We’ll include an attempt to resolve the IP addresses:
$ ss -atr
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
ESTAB 0 52 ip-172-31-5-16.eu-west-1.compute.internal:ssh 86.40.31.143:58980
LISTEN 0 511 *:http *:*
LISTEN 0 128 [::]:ssh [::]:*
TIME-WAIT 0 0 ip-172-31-5-16.eu-west-1.compute.internal:http [::ffff:86.40.31.143]:50046
SYN-RECV 0 0 ip-172-31-5-16.eu-west-1.compute.internal:http [::ffff:86.40.31.143]:59674
We see in the Local Address column that it resolved the IP to the hostname.
8. Summary
In this article, we learned how to use the ss command to query socket information.
We started with a discussion on the default information provided by ss then we saw examples of how to filter the output based on state and protocol. Further, we discussed socket count and looked at how to get a summary of the open sockets. Next, we extended the command to get process information associated with the socket. Finally, we saw how to resolve the hostname from the IP address included in the output.