Introduction
In Linux system management, knowing the status of network connections is essential to diagnose problems, optimize performance and ensure security. For years the toolnetstatIt has been the standard, but its development has stopped and has limitations in modern systems.
What's ss?
The commandss(socket statistics) is part of the packageiproute2and offers a faster and more detailed way to inspect sockets, TCP, UDP and other protocols. It supports the Netlink interface of the kernel, which allows you to obtain information almost in real time.
Installation
In most modern distributions,iproute2It's already pre-installed. If missing, just install it from the package manager: in Debian / Ubuntusudo apt-get install iproute2in RHEL / CentOSsudo yum install iproute2or Fedorasudo dnf install iproute2.
Basic syntax
The simplest way is to runsswithout arguments, which shows a summary list of all open sockets. For more details, you can add options like-tfor TCP,-ufor UDP and-ato include both active and listening sockets.
Show all connections
To view all TCP and UDP connections, it is usedss -a. This output includes the state (ESTAB, LISTEN, etc.), local and remote direction, and process identifier when combined with-p. It is useful for a quick overview of traffic.
Filter by protocol
If you're only interested in TCP, runss -t; for UDP,ss -u. You can combine filters, for exampless -tuIt shows both protocols. In addition,-4and-6limit the output to IPv4 or IPv6 respectively.
Show sockets in listening
Services that expect connections appear in LISTEN state. Withss -lonly those sockets are listed. Adding-tor-uTCP or UDP listeners are obtained, which helps to verify which ports are open in the system.
Process information
To associate each socket with its responsible process, the option is used-p. This shows the PID and the name of the program, which is essential when you need to identify which application is using a particular port.
Real-time monitoring
Likenetstat -c, ssallows continuous update with the option-c. Each second (or the specified interval) is reread the information, facilitating the detection of rapid variations in connection status.
Comparison with netstat
WhilenetstatRead information from various files in/proc, which may be slower in systems with many connections,ssdirectly consult the kernel via Netlink, offering almost instant responses. In addition, its output is more uniform and its filtering options are more powerful.
Advanced options
Among the extra capacities ofssare found:-sto show summary statistics,-ifor internal TCP information (such as congestion algorithm); and-pwith process filters likess -p 'pid = 1234'. They can also be combined with regular expressions for IP addresses or ports.
Common problem solution
If when runningssYou get a refused permission message, make sure you usesudoto access process information from other users. In containers or environments with capacity restrictions, it may be necessary to grant privilegeCAP_NET_ADMINto see certain details.
Conclusion
The commandssrepresents a necessary evolution against the old onenetstat. Its speed, accuracy and wealth of options make it the preferred tool for system administrators seeking efficient and modern monitoring of the Linux network.
