Understanding the ss Command: A Modern Alternative to netstat

The ss command (short for socket statistics) is a fast, feature-rich replacement for the older netstat utility. It allows administrators to inspect and manage network sockets on a system — whether they’re TCP, UDP, RAW, or UNIX domain sockets. Compared to netstat, ss runs faster and provides more filtering options, making it invaluable for network diagnostics and system monitoring.

Show All TCP, UDP, RAW, and UNIX Sockets

ss -a -t -u -w -x

Motivation: Network administrators often need a complete snapshot of all active sockets — to check which services are listening, what connections are established, or to detect unusual activity.

Explanation:

-a: show all sockets (listening + non-listening)
-t: TCP sockets
-u: UDP sockets
-w: RAW sockets
-x: UNIX domain sockets

Tip: Use -n to skip DNS lookups for faster output:

ss -antuwx

Example Output:

Netid State  Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp   ESTAB  0      0      192.168.1.5:ssh   192.168.1.10:33842
udp   UNCONN 0      0      0.0.0.0:bootpc    0.0.0.0:*
unix  STREAM 0      0      /run/user/1000/bus 0

Filter TCP Sockets by Connection State

ss -t state established
ss -t state all exclude established

Motivation: Understanding the state of TCP connections (for example, SYN-SENT, ESTAB, TIME-WAIT) helps identify network congestion, failed connections, or excessive retries.

Explanation:

state established: show only active connections
state all exclude established: show everything except established connections

Example Output:

Netid State    Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp   SYN-SENT 0      1      192.168.1.5:40065 203.0.113.1:http

Show All TCP Sockets Listening on Port 8080

ss -lt src :8080

Motivation: Port 8080 is often used for web servers and development environments. Administrators can use this command to confirm that services are listening correctly.

Explanation:

-l: show listening sockets only
-t: restrict to TCP
src :8080: match sockets bound to local port 8080

Example Output:

Netid State  Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp   LISTEN 0      128    0.0.0.0:http-alt   0.0.0.0:*

Show All TCP Connections to a Remote SSH Server

ss -pt dst :22

Motivation: List all processes with active SSH connections — useful for security audits or session tracking.

Explanation:

-p: show process name and PID (requires root)
-t: TCP only
dst :22: filter by destination port (default SSH)

Example Output:

Netid State Recv-Q Send-Q Local Address:Port  Peer Address:Port  Process
tcp   ESTAB 0      0      192.168.1.5:35022  192.168.1.10:ssh   users:(("ssh",pid=10293,fd=10))

Show UDP Sockets Matching Source and Destination Ports

ss -u "( sport = :12345 and dport = :17000 )"

Motivation: In UDP-based applications (such as VoIP, DNS, or streaming), isolating traffic by ports helps diagnose packet loss or latency.

Explanation:

-u: show only UDP sockets
The expression inside parentheses filters by source (sport) and destination (dport) ports

Example Output:

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp   UNCONN 0     0     192.168.1.5:12345   203.0.113.2:17000

Show All TCP IPv4 Sockets Within a Subnet

ss -4t src 192.168/16

Motivation: Useful for examining internal LAN traffic and verifying that connections stay within the expected subnet.

Explanation:

-4: IPv4 only
-t: TCP only
src 192.168/16: show sockets sourced from the 192.168.x.x range

Example Output:

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp   ESTAB 0      0      192.168.2.3:http   192.168.1.5:40210

Killing a Socket Connection Safely

The --kill flag allows administrators to forcibly close a socket on the local machine. This requires root privileges. It cannot terminate sockets on remote hosts; it only affects connections local to the system.

Example 1 — Killing a Client Connection

If your system is the client, ss might show:

Netid State Recv-Q Send-Q Local Address:Port   Peer Address:Port
tcp   ESTAB 0      0      0.0.0.0:8080         1.1.1.1:32123

To close this connection:

sudo ss --kill src 1.1.1.1 dport = 8080

or equivalently:

sudo ss --kill dst 127.0.0.1 sport = 32123 dport = 8080

Example 2 — Killing a Server-Side Connection

If your system is the server listening on port 8080:

sudo ss --kill src 192.168.1.17 dport = 8080

Explanation:

--kill: closes matching local sockets
src / dst: define direction relative to the local host
sport / dport: match specific ports
Multiple filters can be combined

Example Output:

Killed connection: 192.168.1.17:32123

Common `ss` Command Cheat Sheet

Purpose	Command	Notes
Show all sockets	`ss -antuwx`	Combine flags for all protocols; add `-n` to disable DNS lookups
List listening TCP ports	`ss -lt`	Shows only sockets in `LISTEN` state
List established TCP connections	`ss -t state established`	Filters by active TCP sessions
List UDP sockets	`ss -u -a`	Displays both listening and active UDP sockets
Show sockets for a specific port	`ss -t '( sport = :22 or dport = :22 )'`	Works for any port (replace `22`)
Show sockets to a specific IP	`ss -t dst 203.0.113.5`	Filter by destination IP address
Show sockets within a subnet	`ss -4t src 192.168/16`	Useful for LAN/internal traffic
Include process info	`sudo ss -pt`	Requires root privileges
Exclude certain states	`ss -t state all exclude time-wait`	Filters out unwanted states
Kill client-side connection	`sudo ss --kill src 192.168.1.17 sport = 32123`	Terminate specific socket (requires root)
Kill server-side connection	`sudo ss --kill dst 192.168.1.17 dport = 8080`	Close connection from server’s perspective
Show connection stats	`ss -s`	Summarizes socket usage by protocol
Watch sockets in real time	`watch -n 1 'ss -ant'`	Refresh every second for live view

Tips

Always add -n to skip DNS resolution for faster output.
ss accepts expressions like ( sport = :22 and state = established ).
Root privileges are required for --kill and -p.
To save output for later analysis:
```
ss -ant > /tmp/sockets.log
```

Quick Mental Map

-t TCP, -u UDP, -w RAW, -x UNIX
-l listening sockets only
-a all sockets
-p include process name/PID
-4 / -6 limit to IPv4 or IPv6

Conclusion

The ss command provides a detailed, efficient, and scriptable way to inspect socket connections. It supports advanced filtering, process correlation, and even direct connection termination — all faster than legacy tools like netstat.

Whether you’re diagnosing latency, managing TCP states, or dropping unwanted sessions, mastering ss is essential for any Linux system administrator.

Understanding the ss Command: A Modern Alternative to netstat

Show All TCP, UDP, RAW, and UNIX Sockets

Filter TCP Sockets by Connection State

Show All TCP Sockets Listening on Port 8080

Show All TCP Connections to a Remote SSH Server

Show UDP Sockets Matching Source and Destination Ports

Show All TCP IPv4 Sockets Within a Subnet

Killing a Socket Connection Safely

Example 1 — Killing a Client Connection

Example 2 — Killing a Server-Side Connection

Common ss Command Cheat Sheet

Tips

Quick Mental Map

Conclusion

Common `ss` Command Cheat Sheet