Inspect socket state on a production host using ss
to enumerate listening services, UDP endpoints, established TCP
sessions, and summary statistics. Use the output to confirm what
is exposed, what is active, and what to investigate next.
You are validating socket activity on a production server to
confirm what is listening, what is communicating, and whether
any unexpected services are exposed. Your task is to use
ss
to enumerate listening TCP sockets, inspect UDP endpoints,
isolate established TCP sessions, and collect a high-level
socket summary for triage.
ss
is the modern replacement for
netstat
in many environments. When diagnosing incidents or
validating a change, socket state is the fastest truth:
open ports, active sessions, and immediate exposure.
ss variant.
UNCONN for
connectionless sockets.
ss -tlnThis shows listening TCP sockets with numeric ports. Use it to confirm what services are bound and accepting inbound connections.
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:5432 *:*
LISTEN 0 128 0.0.0.0:22 *:*ss -ua
UDP sockets are connectionless, so the output typically
appears as UNCONN. Depending on flags, you may
show listening UDP sockets or all UDP endpoints.
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.1:123 *:*ss -tn state establishedThis filters to established TCP sessions and prints numeric addresses and ports. Use it to validate active sessions when a host is unexpectedly busy.
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.10:22 192.168.1.5:53324ss -sThe summary view provides a quick count of sockets by protocol and state. Use it to spot unusually high connection volume and state accumulation.
Total: 3 (kernel 4)
TCP: 1 (estab 1, closed 0, orphaned 0, timewait 0)
If you see names like
ssh
or
http
instead of port numbers, add
-n
to force numeric output and avoid resolution delays.
Confirm you are using
-l
for listeners, and verify the host actually has services
bound to interfaces beyond loopback. On minimal systems,
the expected output may be small.
UDP is connectionless, so you often see
UNCONN
. Use
-l
when you want listeners only, and
-a
when you want all UDP endpoints.
Confirm you are filtering the correct state and protocol. If the issue is intermittent, capture multiple snapshots or run the command during the suspected activity window.
This lab is read-only. Cleanup is documenting findings and confirming you did not misinterpret name-resolved output as a port-level fact.
ss -tln
ss -uan
ss -tn state established
ss -sYou can state which ports are listening, which UDP endpoints are active, whether established sessions exist, and whether socket counts look normal for the host.
ss -tln
: Lists listening TCP sockets with numeric output.
-t TCP sockets.-l listening sockets only.-n numeric addresses and ports.ss -ua
: Displays UDP sockets (often shown as UNCONN).
-u UDP sockets.-a all sockets.-n for numeric output and -l
for listeners only when needed.
ss -tn state established
: Filters to established TCP connections with numeric output.
state established restricts to active sessions.-n avoids DNS/service name resolution for faster output.ss -s
: Displays socket summary statistics by protocol/state for quick triage.