ss: who is listening and who is connected

Basic flags

• -t - TCP
• -u - UDP
• -l - listening sockets only
• -n - do not resolve names or ports (faster; shows raw numbers)
• -p - show the process (PID and name; requires sudo to see other users' sockets)
• -a - all sockets (established, listening, and closed)
• -i - extended TCP info: RTT, cwnd, MSS, retransmits
• -s - per-protocol summary

Common combinations

ss -tuln                  # all listening TCP/UDP sockets

ss -tnp                    # all TCP sessions with process PID (sudo)

ss -tn state established   # established connections only

ss -tn state time-wait | wc -l   # count TIME_WAIT sockets (see [[tcp-states]])

ss -tnli                   # listening sockets with extended info

Filters by address and port

ss -tn '( dport = 443 or sport = 443 )'

ss -tn dst 8.8.8.8

ss -tn src 10.0.0.5/24

You can also use dport > 1024, sport != 80, and similar expressions.

ss -ti: inside a TCP session

The most useful command when debugging performance:

ss -ti dst 1.2.3.4

# ESTAB ... 192.168.1.10:54321  1.2.3.4:443

#   cubic wscale:7,7 rto:212 rtt:10.5/2.5 ato:40 mss:1448

#   pacing_rate 12.3Mbps delivery_rate 11.8Mbps app_limited

#   sndbuf=87040 rcvbuf=131072 retrans:0/0 ...

Key fields:

• cubic / bbr - congestion control algorithm
• rtt - measured round-trip time (mean / mdev)
• rto - retransmit timeout
• mss - max segment size
• cwnd - congestion window (reflected in pacing_rate)
• retrans - cur/total: retransmits currently in flight / total. A high value points to packet loss on the path.

Replacing netstat

Old commands and their equivalents:

ss is faster (uses the netlink API directly, with less /proc parsing) and shows more detail. On modern distributions, netstat is not installed at all.