Language
日本語
English

Caution

JavaScript is disabled in your browser.
This site uses JavaScript for features such as search.
For the best experience, please enable JavaScript before browsing this site.

Linux & Mac & Bash Command Dictionary

  1. Home
  2. Linux & Mac & Bash Command Dictionary
  3. ss / netstat (Checking Socket Status)

ss / netstat (Checking Socket Status)

ss is the standard Linux network diagnostic command for quickly displaying socket status. While netstat (from the net-tools package) was widely used in the past, ss (from the iproute2 package) is the recommended tool in current major distributions. Running ss -tlnp lists listening ports, and reading connection states such as LISTEN, ESTABLISHED, and TIME_WAIT lets you quickly understand which ports a server has open and whether any suspicious connections are present.

Syntax

# -----------------------------------------------
#  Main options for ss
# -----------------------------------------------

# ss [options] [filter]
#   → Lists socket status

# -t : Show TCP sockets only (--tcp)
# -u : Show UDP sockets only (--udp)
# -l : Show LISTEN state sockets only (--listening)
# -n : Display addresses and ports as numbers, without resolving names (--numeric)
# -p : Show the process name and PID using each socket (--processes)
# -a : Show sockets in all states (--all)
# -s : Show a summary of socket statistics (--summary)

# -----------------------------------------------
#  Common combinations (ss)
# -----------------------------------------------

# ss -tlnp
#   → Shows TCP listening ports and their processes as numbers
#   → The most common way to check which ports a server is waiting on

# ss -tunlp
#   → Shows listening ports and processes for both TCP and UDP

# ss -s
#   → Shows a statistics summary for TCP, UDP, and UNIX sockets

# ss state established
#   → Lists sockets in the ESTABLISHED state (active connections)

# ss state listening
#   → Lists sockets in the LISTEN state

# -----------------------------------------------
#  netstat equivalents (reference)
# -----------------------------------------------

# netstat -tlnp  →  ss -tlnp
# netstat -tunlp →  ss -tunlp
# netstat -an    →  ss -an
# netstat -s     →  ss -s

Syntax Reference

Option / CommandDescription
ss -tlnpShows TCP listening ports and their processes as numbers. The most commonly used command for checking open ports.
ss -tunlpLists listening ports and processes for both TCP and UDP. Includes UDP services such as DNS and NTP.
ss -anShows all sockets in all states as numbers. Includes ESTABLISHED, TIME_WAIT, CLOSE_WAIT, and more.
ss -sShows a statistics summary for TCP, UDP, and UNIX sockets. Gives you a quick overview of the total connection count.
ss state establishedShows only sockets in the ESTABLISHED state (connection established and transferring data).
ss state listeningShows only sockets in the LISTEN state (waiting for incoming connections).
ss -tnp dst :443Shows TCP connections to destination port 443. Useful for filtering traffic to a specific port.
ss -tnp sport = :80Shows sockets with source port 80. Useful for checking the connection status of a specific service.
Connection state meanings
LISTENThe socket is waiting for connections. Indicates that the server is ready to accept connection requests from clients.
ESTABLISHEDA connection has been established and data is being sent and received. Indicates normal active communication.
TIME_WAITThe connection is waiting for a period (typically 60 seconds) after closing. This handles delayed packets. A large number of TIME_WAIT entries can lead to port exhaustion.
CLOSE_WAITThe remote side has closed the connection, but the local side has not yet closed it. A large number can indicate an application bug.
SYN_SENTA TCP three-way handshake has been initiated, a SYN packet has been sent, and the socket is waiting for a response.
SYN_RECVA SYN has been received, a SYN-ACK has been returned, and the socket is waiting for an ACK. Appears in large numbers during a SYN flood attack.
FIN_WAIT1 / FIN_WAIT2The connection is in the process of closing. These states normally disappear within a short time.

Examples

Check which ports are listening
# -----------------------------------------------
#  Check listening ports and their processes
# -----------------------------------------------

# Shows TCP listening ports and process names as numbers
ss -tlnp

Run the following command:

$ ss -tlnp
State    Recv-Q  Send-Q  Local Address:Port  Peer Address:Port  Process
LISTEN   0       128     0.0.0.0:22          0.0.0.0:*          users:(("sshd",pid=1024,fd=3))
LISTEN   0       511     0.0.0.0:80          0.0.0.0:*          users:(("nginx",pid=2048,fd=6))
LISTEN   0       511     0.0.0.0:443         0.0.0.0:*          users:(("nginx",pid=2048,fd=7))
LISTEN   0       128     127.0.0.1:3306      0.0.0.0:*          users:(("mysqld",pid=3072,fd=21))
Check listening ports for both TCP and UDP
# -----------------------------------------------
#  Show LISTEN ports for both TCP and UDP
# -----------------------------------------------

# Adding -u includes UDP ports as well
ss -tunlp

Run the following command:

$ ss -tunlp
Netid  State    Recv-Q  Send-Q  Local Address:Port  Peer Address:Port  Process
udp    UNCONN   0       0       0.0.0.0:68          0.0.0.0:*          users:(("dhclient",pid=512,fd=6))
udp    UNCONN   0       0       127.0.0.53:53       0.0.0.0:*          users:(("systemd-r",pid=640,fd=14))
tcp    LISTEN   0       128     0.0.0.0:22          0.0.0.0:*          users:(("sshd",pid=1024,fd=3))
tcp    LISTEN   0       511     0.0.0.0:80          0.0.0.0:*          users:(("nginx",pid=2048,fd=6))
Check the number of TIME_WAIT connections
# -----------------------------------------------
#  Count the number of TIME_WAIT connections
# -----------------------------------------------

# Counts the number of TIME_WAIT lines
# A large number of TIME_WAIT entries is an early sign of port exhaustion
ss -an | grep TIME-WAIT | wc -l

Run the following command:

$ ss -an | grep TIME-WAIT | wc -l
47
Check connections to a specific port
# -----------------------------------------------
#  Filter connections to a specific port
# -----------------------------------------------

# Shows ESTABLISHED connections to or from port 443
ss -tnp state established '( dport = :443 or sport = :443 )'

Run the following command:

$ ss -tnp state established '( dport = :443 or sport = :443 )'
State        Recv-Q  Send-Q  Local Address:Port  Peer Address:Port  Process
ESTABLISHED  0       0       192.168.1.10:54832  203.0.113.50:443   users:(("curl",pid=8800,fd=5))
ESTABLISHED  0       0       192.168.1.10:54901  203.0.113.51:443   users:(("nginx",pid=2048,fd=12))
Check the connection statistics summary
# -----------------------------------------------
#  Show a socket statistics summary
# -----------------------------------------------

# Shows overall statistics for TCP, UDP, and UNIX sockets
ss -s

Run the following command:

$ ss -s
Total: 312
TCP:   28 (estab 15, closed 8, orphaned 0, timewait 7)

Transport  Total  IP  IPv6
RAW        0      0   0
UDP        5      4   1
TCP        20     16  4
INET       25     20  5
FRAG       0      0   0

Overview

ss retrieves information directly from the kernel via the netlink socket interface, making it faster than netstat. Because netstat is part of the net-tools package and is not installed by default in many modern distributions, it is worth getting into the habit of using ss going forward. When checking which ports are open, it is important to read the output of ss alongside the rules in firewalld or ufw. A port in the LISTEN state may still be unreachable from outside if it is blocked by firewalld or ufw, and conversely, opening a firewall port does nothing if the target service is not listening. By checking socket state with ss and comparing it against your firewall configuration, you can efficiently isolate network configuration problems.

If you find any errors or copyright issues, please .

シェアするシェアする
このエントリーをはてなブックマークに追加