Loading...

VONDS ©

Lab 65: The ss Command - View and Analyze Socket Connections

Lab Index

Inspect socket state on a production host using ss to enumerate listening services, UDP endpoints, established TCP sessions, and summary statistics. Use the output to confirm what is exposed, what is active, and what to investigate next.

network troubleshooting core

Scenario

You need to inspect network socket activity on a production server to understand what is listening, what is communicating, and whether there are unexpected services exposed. Your task is to use ss to list listening TCP sockets, view UDP endpoints, filter for established TCP sessions, and produce a socket summary.

Operator context

ss is the modern replacement for netstat in many environments. When diagnosing incidents or validating a change, socket state gives you a fast truth: what ports are open, which processes are bound, and which connections are active right now.

Objective

  • Display all listening TCP sockets with numeric output.
  • Display UDP sockets using an accepted ss variant.
  • Filter for established TCP connections.
  • Produce socket summary statistics for quick triage.

What You’ll Practice

  • Enumerating listening TCP services using ss -tln.
  • Inspecting UDP endpoints using common ss filters (-u, -a, -n, -l).
  • Filtering socket state using state selectors.
  • Getting an at-a-glance socket summary using ss -s.

Walkthrough

Step 1 : Display all listening TCP sockets.
Command 
ss -tln

This shows listening TCP sockets with numeric ports. It is a fast way to confirm what services are bound and accepting inbound connections. 

State      Recv-Q Send-Q  Local Address:Port  Peer Address:Port
LISTEN     0      128     127.0.0.1:5432      *:*
LISTEN     0      128     0.0.0.0:22          *:*
Step 2 : Display UDP sockets.
Command 
ss -ua

UDP sockets are connectionless, so the output typically appears as UNCONN. Depending on flags, you may show listening UDP sockets or all UDP endpoints. 

Netid  State   Recv-Q Send-Q Local Address:Port   Peer Address:Port
udp    UNCONN  0      0      127.0.0.1:123        *:*
Step 3 : Show all established TCP connections.
Command 
ss -tn state established

This filters to established TCP sessions and prints numeric addresses and ports, which is useful for quick triage when a host is under load or unexpectedly busy. 

State  Recv-Q Send-Q  Local Address:Port   Peer Address:Port
ESTAB  0      0       192.168.1.10:22      192.168.1.5:53324
Step 4 : Display summary statistics for all sockets.
Command 
ss -s

The summary view provides a quick count of sockets by protocol and state. It is useful when validating whether the system is accumulating large numbers of connections. 

Total: 3 (kernel 4)
TCP:   1 (estab 1, closed 0, orphaned 0, timewait 0)

Reference

  • ss -tln : Lists listening TCP sockets with numeric output.
    • -t TCP sockets.
    • -l listening sockets only.
    • -n numeric addresses and ports.
  • ss -ua : Displays UDP sockets (often shown as UNCONN).
    • -u UDP sockets.
    • -a all sockets (not just listening).
    • Common variants include ss -un (numeric) and ss -uln (listening + numeric).
  • ss -tn state established : Filters to established TCP connections.
    • state established restricts output to active sessions.
    • -n avoids DNS/service name resolution for faster output.
  • ss -s : Displays socket summary statistics by protocol/state for quick triage.