Exploring the ss Command: A Utility for Socket Investigation

The ss (socket statistics) command is a powerful tool for investigating socket connections on Linux systems. It provides detailed information about TCP, UDP, RAW, and UNIX sockets, making it easier to analyze network activity. Here, we’ll delve into its functionality, syntax, and some practical examples.

Basic Usage

To get started with ss, you can display all types of sockets—TCP, UDP, RAW, and UNIX—using the following command:

ss [-a|--all] -t|-u|-w|-x

This command lists all relevant socket connections along with their states.

Filtering TCP Sockets by State

You can filter TCP sockets based on their states, allowing you to focus on specific types of connections. For example:

ss state|exclude bucket|big|connected|synchronized|...

This helps in monitoring connections that are vital for troubleshooting or performance checks.

Common Use Cases

1. Show TCP Sockets Connected to HTTPS (Port 443) To list all TCP sockets that are connected to the local HTTPS port (443), use:

   ss [-t|--tcp] src :443

2. List Listening TCP Sockets on Port 8080 To see which TCP sockets are actively listening on port 8080, execute:

   ss [-lt|--listening --tcp] src :8080

3. View Processes Connected to a Remote SSH Port If you want to see all TCP sockets along with the processes that are connected to a remote SSH port, you can run:

   ss [-pt|--processes --tcp] dst :ssh

4. Show UDP Sockets on Specific Ports To investigate UDP sockets tied to specific source and destination ports, you can use the following syntax:

   ss [-u|--udp] 'sport == :source_port and dport == :destination_port'

5. Display Local TCP IPv4 Sockets on a Subnet To show all locally connected TCP IPv4 sockets on a certain subnet (e.g., 192.168.0.0/16), use:

   ss [-4t|--ipv4 --tcp] src 192.168/16

Killing Socket Connections

In cases where you need to terminate an unwanted socket connection, ss allows you to kill connections based on their IP and port. For example:

ss [-K|--kill] dst 192.168.1.17 dport = 8080

This command terminates the connection targeting the specified destination IP and port.

Additional Resources

For further detailed information, you can consult the manual page at manned.org.

Conclusion

The ss command is an invaluable tool for system administrators and network analysts. It provides the means to monitor, manage, and diagnose network connections effectively. With the ability to filter and kill connections, it’s an essential utility for maintaining network health.

See Also

• How to Use the kill Command in Linux?
• What Can uname do in Linux?
• How to Use the ping Command in Linux
• How to Use the Nano Command: A Complete Guide
• How to Use the mv Command in Linux