Updated 10 hours ago
Every network problem starts with the same question: who is talking to whom?
Your web server isn't responding. Your database connection keeps dropping. Something is hogging port 3000. Before you can fix anything, you need to see the connections.
The ss command answers this instantly. It shows you every socket on your Linux system—what's listening, what's connected, what's waiting to close. It's the modern replacement for netstat, and it's dramatically faster because it reads directly from the kernel instead of parsing text files.
Seeing What's Happening
The most common thing you'll want to know: what's listening on which ports?
This breaks down as:
-t: TCP sockets-l: Only listening (waiting for connections)-n: Show port numbers, not service names-p: Show which program owns each socket
Now you know: SSH is listening on port 22, MySQL on 3306 (but only localhost), and nginx on 80.
The Universal Frustration
"Port already in use."
Every developer has seen this error. Something is squatting on the port you need. Find it:
Or with ss's built-in filtering (no grep needed):
Now you know what to kill.
Active Connections
Listening sockets wait for connections. But what about connections that are actually happening?
This shows established TCP connections:
Your machine is talking to two remote servers on port 443 (HTTPS).
Add -p to see which programs:
Built-In Filtering
This is where ss outshines netstat. Instead of piping through grep, you can filter directly:
By state:
By port:
By address:
Combined:
When Connections Go Wrong
Slow application? Check the connection quality:
This shows TCP internals—round-trip time, retransmissions, congestion window. If you see high retransmission counts, your network is dropping packets.
Receive queue backing up?
A growing receive queue means your application isn't reading data fast enough.
Quick Overview
Want to know how many connections you have without listing them all?
The Options You'll Actually Use
| Option | Meaning |
|---|---|
-t | TCP sockets |
-u | UDP sockets |
-l | Listening only |
-a | All sockets (listening and non-listening) |
-n | Numeric (don't resolve names) |
-p | Show process |
-i | Show TCP internal info |
-m | Show socket memory usage |
-s | Summary statistics |
Combine them: ss -tulnp shows all listening TCP and UDP sockets with process info.
Understanding Socket States
When you see connection states, here's what matters:
LISTEN: Waiting for incoming connections. This is your server.
ESTAB: Active connection. Data is flowing (or could flow).
TIME-WAIT: Connection closed, but socket lingers briefly to catch any stray packets. Lots of these is normal for busy servers.
CLOSE-WAIT: The remote side closed, but your application hasn't. If these accumulate, your application has a bug—it's not closing connections properly.
Real Scenarios
Service won't start:
Find what's blocking the port.
Too many connections:
Check if you're hitting limits.
Application can't reach server:
See if connections exist or are stuck.
Monitor connection count:
For UDP
UDP doesn't have connection states like TCP, but you can still see listening services:
DNS servers (port 53), DHCP (67/68), and NTP (123) typically show up here.
Coming from netstat
Most netstat commands translate directly:
netstat -tulpn→ss -tulpnnetstat -an→ss -an
For routing tables, use ip route instead—ss is purely for sockets.
Frequently Asked Questions About ss
Was this page helpful?