Dominando Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port u_str ESTAB 0 0 /run/docker.sock 5709 * 14842 u_str ESTAB 0 0 /run/systemd/journal/stdout 21548 * 22532 u_str ESTAB 0 0 * 10985 * 10986 u_str ESTAB 0 0 * 14845 * 19133 u_str ESTAB 0 0 * 11001 * 11002 u_str ESTAB 0 0 /run/containerd/s/4b6159334a2dc4ca4030bd9945ef386619faffb86e59cf939d034f70aabbd053 9200 * 17570 u_str ESTAB 0 0 * 21551 * 21552 u_str ESTAB 0 0 * 14852 * 14853 u_str ESTAB 0 0 /run/docker.sock 5705 * 14840 u_str ESTAB 0 0 * 17286 * 15615 u_str ESTAB 0 0 * 10979 * 10978 u_str ESTAB 0 0 * 14843 * 21945 u_str ESTAB 0 0 * 9194 * 17564 u_str ESTAB 0 0 * 107472978 * 107472979 u_str ESTAB 0 0 * 14839 * 19130 u_str ESTAB 0 0 * 10994 * 10993 u_str ESTAB 0 0 /run/systemd/journal/stdout 4488 * 9525 u_dgr ESTAB 0 0 * 7570 * 1731 u_str ESTAB 0 0 * 14835 * 21937 u_str ESTAB 0 0 * 10984 * 10983 u_str ESTAB 0 0 /run/docker.sock 19133 * 14845 u_str ESTAB 0 0 * 10978 * 10979 u_str ESTAB 0 0 /run/systemd/journal/stdout 21552 * 21551 u_str ESTAB 0 0 * 11731 * 11732 u_str ESTAB 0 0 * 8975 * 9842 u_str ESTAB 0 0 * 10992 * 10991 u_str ESTAB 0 0 * 17741 * 21549 u_str ESTAB 0 0 * 8061 * 5024 u_str ESTAB 0 0 * 14853 * 14852 u_str ESTAB 0 0 * 10983 * 10984 u_str ESTAB 0 0 /run/docker.sock 92820896 * 92820895 u_str ESTAB 0 0 /run/systemd/journal/stdout 4475 * 7569 u_str ESTAB 0 0 /run/docker.sock 21951 * 14850 u_str ESTAB 0 0 * 17305 * 13976 u_str ESTAB 0 0 * 11000 * 10999 u_str ESTAB 0 0 * 92820895 * 92820896 u_str ESTAB 0 0 * 21569 * 21570 u_str ESTAB 0 0 * 7868 * 7869 u_str ESTAB 0 0 * 14846 * 21949 u_str ESTAB 0 0 /run/systemd/journal/stdout 21571 * 22548 u_str ESTAB 0 0 * 10980 * 10981 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 14663 * 17620 u_str ESTAB 0 0 /run/docker.sock 21945 * 14843 u_str ESTAB 0 0 /run/containerd/s/b94d1662b3868a2122d8c43d9af3a34f1bada4bbaaf43129a03426b2ba836ff0 13976 * 17305 u_str ESTAB 0 0 * 10986 * 10985 u_str ESTAB 0 0 * 17557 * 9946 u_str ESTAB 0 0 * 10991 * 10992 u_str ESTAB 0 0 * 10208 * 17378 u_str ESTAB 0 0 /run/docker.sock 21947 * 14844 u_str ESTAB 0 0 * 11849 * 7700 u_str ESTAB 0 0 * 11003 * 11004 u_str ESTAB 0 0 * 17570 * 9200 u_str ESTAB 0 0 * 7828 * 4776 u_str ESTAB 0 0 * 14851 * 21953 u_str ESTAB 0 0 * 10996 * 10995 u_str ESTAB 0 0 /run/containerd/containerd.sock 13007 * 9755 u_str ESTAB 0 0 * 7921 * 17516 u_str ESTAB 0 0 /run/containerd/containerd.sock 4652 * 11874 u_str ESTAB 0 0 * 11002 * 11001 u_str ESTAB 0 0 /run/systemd/journal/stdout 21549 * 17741 u_str ESTAB 0 0 /run/containerd/s/b7ef5168ea6d89d6645e414a51b979050fd4694ccf9f96164464fdc31e504b88 4776 * 7828 u_str ESTAB 0 0 /run/docker.sock 21953 * 14851 u_str ESTAB 0 0 * 22532 * 21548 u_str ESTAB 0 0 /run/systemd/journal/stdout 4490 * 10898 u_dgr ESTAB 0 0 * 3169 * 1709 u_str ESTAB 0 0 /run/docker.sock 14848 * 14847 u_str ESTAB 0 0 * 107472971 * 0 u_str ESTAB 0 0 /run/systemd/journal/stdout 7700 * 11849 u_str ESTAB 0 0 * 10988 * 10987 u_str ESTAB 0 0 * 22548 * 21571 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 9842 * 8975 u_str ESTAB 0 0 * 14844 * 21947 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 9946 * 17557 u_str ESTAB 0 0 /run/docker.sock 5707 * 14841 u_str ESTAB 0 0 /run/systemd/journal/stdout 21567 * 18641 u_str ESTAB 0 0 * 10981 * 10980 u_str ESTAB 0 0 /run/systemd/journal/stdout 21570 * 21569 u_str ESTAB 0 0 * 11004 * 11003 u_str ESTAB 0 0 * 7569 * 4475 u_str ESTAB 0 0 * 14847 * 14848 u_str ESTAB 0 0 * 10989 * 10990 u_str ESTAB 0 0 * 17620 * 14663 u_str ESTAB 0 0 /run/docker.sock 19130 * 14839 u_str ESTAB 0 0 /run/systemd/journal/stdout 11732 * 11731 u_str ESTAB 0 0 * 10993 * 10994 u_str ESTAB 0 0 * 10997 * 10998 u_str ESTAB 8 0 /run/php/php8.4-fpm-undercodetesting_com.sock 107467758 * 107461315 u_str ESTAB 0 0 /run/containerd/s/585663af9810e6c40d2e4d842f6e204cc66c80b1bae779246eca661a21f480c3 17516 * 7921 u_str ESTAB 0 0 * 9535 * 9534 u_str ESTAB 0 0 /run/docker.sock 21949 * 14846 u_str ESTAB 0 0 * 107472979 * 107472978 u_str ESTAB 0 0 * 9534 * 9535 u_str ESTAB 0 0 * 11874 * 4652 u_str ESTAB 0 0 * 14850 * 21951 u_str ESTAB 0 0 * 10998 * 10997 u_str ESTAB 0 0 /run/containerd/s/f0496aae8fbe61fd4659dcdbdbfb7d984be9cc5b149db298752f294401b100f6 4920 * 9884 u_str ESTAB 0 0 * 14840 * 5705 u_str ESTAB 0 0 * 18041 * 15837 u_dgr ESTAB 0 0 * 11546 * 1731 u_str ESTAB 0 0 * 9525 * 4488 u_str ESTAB 0 0 * 10999 * 11000 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 7869 * 7868 u_str ESTAB 0 0 * 18641 * 21567 u_str ESTAB 0 0 * 10995 * 10996 u_str ESTAB 0 0 * 9755 * 13007 u_str ESTAB 0 0 * 14842 * 5709 u_str ESTAB 0 0 * 10898 * 4490 u_str ESTAB 0 0 /run/docker.sock 21937 * 14835 u_str ESTAB 0 0 /run/containerd/s/0b1412e63c2d6b1f8859cf449251e27d911ba737b792e0290ca2ec6e044bb80f 17564 * 9194 u_str ESTAB 0 0 /run/containerd/s/5eba258647294a4102b5c7afb1f7ca6ea40f1a7d42871516a5b1477ae77b4e82 15615 * 17286 u_str ESTAB 0 0 * 10990 * 10989 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 17378 * 10208 u_str ESTAB 0 2304 * 107461315 * 107467758 u_str ESTAB 0 0 * 14841 * 5707 u_str ESTAB 0 0 * 10987 * 10988 u_str ESTAB 0 0 /run/systemd/journal/stdout 15837 * 18041 u_str ESTAB 0 0 * 9884 * 4920 u_str ESTAB 0 0 /run/systemd/journal/stdout 11617 * 6696 u_str ESTAB 0 0 * 15597 * 9184 u_dgr ESTAB 0 0 /run/systemd/notify 1709 * 0 u_dgr ESTAB 0 0 * 6318 * 6319 u_dgr ESTAB 0 0 * 1713 * 1712 u_str ESTAB 0 0 /run/systemd/journal/stdout 4518 * 6663 u_str ESTAB 0 0 * 20750 * 21955 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 5024 * 8061 u_str ESTAB 0 0 * 6663 * 4518 u_dgr ESTAB 0 0 /run/systemd/journal/dev-log 1731 * 0 u_dgr ESTAB 0 0 /run/systemd/journal/socket 1732 * 0 u_str ESTAB 0 0 * 31907633 * 31907634 u_str ESTAB 0 0 /run/systemd/journal/stdout 90872474 * 90881028 u_dgr ESTAB 0 0 * 4192 * 1732 u_str ESTAB 0 0 /run/systemd/journal/stdout 31910633 * 31907625 u_str ESTAB 0 0 * 50231 * 47427 u_dgr ESTAB 0 0 * 4201 * 4200 u_str ESTAB 0 0 * 47450 * 45734 u_str ESTAB 0 0 /run/containerd/s/ab71a097629bfee5bf7151d1e090dfb3370e90c0db77e529f99dc027d8f40f3e 7913 * 14519 u_str ESTAB 0 0 * 31907634 * 31907633 u_dgr ESTAB 0 0 * 2878 * 1732 u_str ESTAB 0 0 * 20578 * 21568 u_str ESTAB 0 0 * 19495 * 17599 u_str ESTAB 0 0 /run/containerd/s/3ba0ca549e3cf0df39f4c702037827af18de85e78c438fd9bf0e797600cd2335 47427 * 50231 u_str ESTAB 0 0 /run/systemd/journal/stdout 3205 * 4165 u_str ESTAB 0 0 * 14557 * 9182 u_str ESTAB 0 0 * 5120 * 17368 u_str ESTAB 0 0 * 19616 * 21547 u_str ESTAB 0 0 /run/docker.sock 6664473 * 6652853 u_str ESTAB 0 0 /run/docker.sock 73616975 * 73616974 u_str ESTAB 0 0 * 4165 * 3205 u_str ESTAB 0 0 * 19489 * 13946 u_str ESTAB 0 0 * 20563 * 21550 u_str ESTAB 0 0 /run/dbus/system_bus_socket 9546 * 5532 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 42882 * 47445 u_str ESTAB 0 0 /run/systemd/journal/stdout 21547 * 19616 u_str ESTAB 0 0 /run/docker.sock 21955 * 20750 u_str ESTAB 0 0 /run/docker.sock 45734 * 47450 u_dgr ESTAB 0 0 * 1714 * 1715 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 9184 * 15597 u_str ESTAB 0 0 /run/systemd/journal/stdout 11625 * 4604 u_str ESTAB 0 0 * 31907625 * 31910633 u_dgr ESTAB 0 0 * 1711 * 1710 u_str ESTAB 0 0 * 73616974 * 73616975 u_str ESTAB 0 0 /run/systemd/journal/stdout 21568 * 20578 u_str ESTAB 0 0 /run/systemd/journal/stdout 10918 * 12725 u_str ESTAB 0 0 /run/containerd/s/d946cd0c843ff4535a8714851f6f700268f5ace3f029ba454bacc9ae85d43278 17368 * 5120 u_str ESTAB 0 0 * 6308 * 3207 u_dgr ESTAB 0 0 * 1712 * 1713 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 9182 * 14557 u_str ESTAB 0 0 * 15490 * 13123 u_str ESTAB 0 0 * 49879318 * 49883231 u_str ESTAB 0 0 * 47445 * 42882 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 17599 * 19495 u_dgr ESTAB 0 0 * 4200 * 4201 u_str ESTAB 0 0 /run/systemd/journal/stdout 3207 * 6308 u_str ESTAB 0 0 /run/systemd/journal/stdout 4515 * 5472 u_str ESTAB 0 0 /run/systemd/journal/stdout 20744 * 15879 u_str ESTAB 0 0 * 14028 * 21546 u_str ESTAB 0 0 /run/systemd/journal/stdout 21550 * 20563 u_dgr ESTAB 0 0 * 1715 * 1714 u_str ESTAB 0 0 /run/containerd/s/3e48371fa05b5ac82b1c532eb79dc4ed68c5e6b6e9901f3ace5b81343a65ac1e 13123 * 15490 u_str ESTAB 0 0 /run/systemd/journal/stdout 21546 * 14028 u_dgr ESTAB 0 0 * 4198 * 4199 u_str ESTAB 0 0 * 90881028 * 90872474 u_str ESTAB 0 0 /run/docker.sock 49883231 * 49879318 u_str ESTAB 0 0 /run/dbus/system_bus_socket 9537 * 4469 u_str ESTAB 0 0 * 15879 * 20744 u_str ESTAB 0 0 * 12725 * 10918 u_str ESTAB 0 0 * 4604 * 11625 u_dgr ESTAB 0 0 * 1710 * 1711 u_dgr ESTAB 0 0 * 5521 * 1732 u_str ESTAB 0 0 * 14519 * 7913 u_dgr ESTAB 0 0 * 6317 * 1732 u_str ESTAB 0 0 * 27488324 * 27484842 u_str ESTAB 0 0 * 5472 * 4515 u_str ESTAB 0 0 * 6696 * 11617 u_str ESTAB 0 0 /run/dbus/system_bus_socket 9540 * 12625 u_str ESTAB 0 0 * 6652853 * 6664473 u_str ESTAB 0 0 /run/docker.sock 27484842 * 27488324 u_dgr ESTAB 0 0 * 6319 * 6318 u_dgr ESTAB 0 0 * 4199 * 4198 u_str ESTAB 0 0 /run/containerd/containerd.sock.ttrpc 13946 * 19489 u_str ESTAB 0 0 @faac3204646f0cb7/bus/systemd-logind/system 5532 * 9546 u_str ESTAB 0 0 @c776b8c888520630/bus/systemd-timesyn/bus-api-timesync 4469 * 9537 u_str ESTAB 0 0 @8b22f64eb6401fdd/bus/systemd/bus-api-system 12625 * 9540 udp ESTAB 0 0 192.168.122.31:39953 208.67.222.222:domain udp ESTAB 0 0 192.168.122.31:58199 208.67.222.222:domain tcp ESTAB 0 0 192.168.122.31:43864 198.41.192.7:7844 tcp ESTAB 0 0 192.168.122.31:41106 198.41.192.27:7844 tcp ESTAB 0 0 127.0.0.1:redis 127.0.0.1:59294 tcp ESTAB 0 0 192.168.122.31:55428 198.41.200.53:7844 tcp ESTAB 0 0 192.168.122.31:56532 198.41.192.67:7844 tcp ESTAB 0 0 192.168.122.31:33594 198.41.192.37:7844 tcp ESTAB 0 0 192.168.122.31:41852 198.41.200.113:7844 tcp ESTAB 0 0 192.168.122.31:47036 198.41.192.57:7844 tcp ESTAB 0 0 192.168.122.31:36778 198.41.192.27:7844 tcp ESTAB 0 0 192.168.122.31:52130 198.41.200.33:7844 tcp ESTAB 0 0 192.168.122.31:55432 198.41.200.53:7844 tcp ESTAB 0 0 192.168.122.31:43086 198.41.192.27:7844 tcp ESTAB 0 0 192.168.122.31:53644 198.41.192.7:7844 tcp ESTAB 0 0 192.168.122.31:41858 198.41.200.113:7844 tcp ESTAB 0 0 192.168.122.31:58194 198.41.192.37:7844 tcp ESTAB 0 0 192.168.122.31:39746 198.41.200.73:7844 tcp ESTAB 0 0 192.168.122.31:41076 198.41.192.67:7844 tcp ESTAB 0 0 192.168.122.31:34122 198.41.192.107:7844 tcp ESTAB 0 0 192.168.122.31:49790 198.41.200.63:7844 tcp ESTAB 0 0 192.168.122.31:60662 198.41.200.53:7844 tcp ESTAB 0 0 192.168.122.31:48458 198.41.192.77:7844 tcp ESTAB 0 0 127.0.0.1:59294 127.0.0.1:redis tcp ESTAB 0 0 192.168.122.31:60068 198.41.192.27:7844 tcp ESTAB 0 0 192.168.122.31:52068 198.41.200.33:7844 tcp ESTAB 0 0 192.168.122.31:48740 198.41.192.77:7844 tcp ESTAB 0 0 192.168.122.31:39288 198.41.200.23:7844 tcp ESTAB 0 0 192.168.122.31:58424 198.41.200.113:7844 tcp ESTAB 0 0 192.168.122.31:46834 198.41.200.63:7844 tcp ESTAB 0 0 192.168.122.31:37374 198.41.200.113:7844 tcp ESTAB 0 0 192.168.122.31:35838 198.41.192.47:7844 tcp ESTAB 0 0 127.0.0.1:35704 127.0.0.1:mysql tcp ESTAB 0 0 192.168.122.31:41426 198.41.192.167:7844 tcp ESTAB 0 0 192.168.122.31:47344 198.41.200.113:7844 tcp ESTAB 0 39 192.168.122.31:48536 198.41.200.33:7844 tcp ESTAB 0 0 192.168.122.31:36456 198.41.200.113:7844 tcp ESTAB 0 0 192.168.122.31:50330 149.154.166.110:https tcp ESTAB 0 0 192.168.122.31:53310 198.41.200.63:7844 tcp ESTAB 0 0 192.168.122.31:37224 198.41.200.43:7844 tcp ESTAB 0 0 192.168.122.31:51418 198.41.192.57:7844 tcp ESTAB 0 0 192.168.122.31:49862 198.41.192.27:7844 tcp ESTAB 0 0 192.168.122.31:58304 198.41.200.43:7844 tcp ESTAB 0 0 192.168.122.31:42868 198.41.200.233:7844 tcp ESTAB 0 0 192.168.122.31:50288 198.41.192.167:7844 tcp ESTAB 0 0 192.168.122.31:52668 198.41.200.193:7844 tcp ESTAB 0 0 192.168.122.31:33546 198.41.192.77:7844 tcp ESTAB 0 0 192.168.122.31:35998 198.41.200.53:7844 tcp ESTAB 0 0 192.168.122.31:60536 198.41.192.107:7844 tcp ESTAB 0 0 127.0.0.1:mysql 127.0.0.1:35704 tcp ESTAB 0 0 192.168.122.31:47026 198.41.192.57:7844 tcp ESTAB 0 0 192.168.122.31:37340 149.154.166.110:https tcp ESTAB 0 0 [::1]:ssh [::1]:51430 tcp ESTAB 0 0 [::1]:http [::1]:56524 tcp ESTAB 0 0 [::1]:http [::1]:33074 tcp ESTAB 0 0 [::1]:33074 [::1]:http tcp ESTAB 0 0 [::1]:56524 [::1]:http tcp ESTAB 0 0 [::1]:http [::1]:59836 tcp ESTAB 0 0 [::1]:http [::1]:47000 tcp ESTAB 0 0 [::1]:59836 [::1]:http tcp ESTAB 0 0 [::1]:59820 [::1]:http tcp ESTAB 0 0 [::1]:http [::1]:48104 tcp ESTAB 0 0 [::1]:51430 [::1]:ssh tcp ESTAB 0 0 [::1]:48104 [::1]:http tcp ESTAB 0 0 [::1]:47000 [::1]:http tcp ESTAB 0 0 [::1]:http [::1]:59820 : La Herramienta Definitiva para el Diagnóstico de Redes en Linux que Reemplaza a + Video

Listen to this Post

Featured Image

Introduction

In the dynamic world of Linux system administration and cybersecurity, having a command-line tool that provides rapid, detailed, and real-time visibility into network connections is non-1egotiable. The `ss` (socket statistics) utility has emerged as the modern, superior replacement for the legacy netstat, offering unmatched speed, powerful filtering capabilities, and comprehensive insights into socket states. For DevOps engineers, SysAdmins, and security professionals, mastering `ss` is essential for troubleshooting performance issues, identifying unauthorized connections, and ensuring the integrity of server infrastructures.

Learning Objectives

  • Understand the core differences between `ss` and `netstat` and why `ss` is the preferred tool for modern Linux diagnostics.
  • Learn to use `ss` to filter, analyze, and monitor active TCP, UDP, and UNIX socket connections in real-time.
  • Gain proficiency in using advanced `ss` filters to pinpoint specific processes, states, and ports for security auditing and network debugging.

You Should Know

  1. The Rise of `ss` Over netstat: Why Speed and Accuracy Matter
    The `ss` command isn’t just an alternative to netstat; it’s a complete evolution. While `netstat` relies on the `/proc` filesystem and can be slow on systems with many connections, `ss` queries the kernel directly via the `netlink` interface. This makes it significantly faster and more efficient, especially in high-traffic production environments. Furthermore, `netstat` is now considered deprecated in many modern Linux distributions (like RHEL and CentOS), with developers being encouraged to adopt ss. From a cybersecurity perspective, the ability to quickly scan for unexpected listening ports or suspicious ESTABLISHED connections is critical during incident response. `ss` provides this visibility with less overhead and more precision. For a basic overview, the command `ss -tuln` (which shows listening TCP and UDP ports numerically) is the modern equivalent of netstat -tulpn. To see all active connections, `ss -tunp` is the go-to, as it resolves IPs and ports while showing the associated processes (root access required for certain process IDs).

2. Installing and Verifying `ss` on Your System

Before diving into complex filters, ensure `ss` is available on your system. It is part of the `iproute2` package, which is standard on almost all Linux distributions. If you encounter a “command not found” error, install it using your package manager. Here are the commands for various distributions:

Debian/Ubuntu:

sudo apt update
sudo apt install iproute2

RHEL/CentOS/Fedora:

sudo yum install iproute2  or for newer versions: sudo dnf install iproute2

Arch Linux:

sudo pacman -S iproute2

Once installed, verify the version to ensure it supports all features:

ss -V

This confirms that you have the `iproute2` suite, which provides the latest updates and filtering syntax. Unlike netstat, which could require separate packages, `ss` is a core component of the network stack management toolset.

  1. Decoding Socket States: The Heart of TCP Diagnostics
    A fundamental strength of `ss` lies in its ability to display and filter TCP socket states, which are crucial for understanding the lifecycle of a connection and troubleshooting network issues. Key states include:

– LISTEN: The socket is waiting for incoming connections (typical of servers).
– ESTABLISHED: The connection is active and data transfer is occurring.
– TIME-WAIT: The socket is closed, but waiting for any delayed packets to arrive (helps in ensuring remote received the final ACK).
– CLOSE-WAIT: The remote has closed the connection, but the local application hasn’t closed its side yet (potential application bug).
– SYN-SENT / SYN-RECV: Handshake stages.

Step-by-step command usage:

To see all connections in a specific state, use the `state` filter. For example, to view all established TCP connections:

ss -tn state established

To view TCP connections that are waiting to close (useful for identifying potential denial-of-service conditions or application leaks):

ss -tn state time-wait

Understanding these states helps in forensic analysis. A high number of CLOSE-WAIT states often indicates an application is not properly closing resources, which can lead to socket exhaustion and server instability.

  1. Advanced Filtering by Port, Protocol, and IP Address
    `ss` offers highly granular filtering, allowing administrators to narrow down traffic based on specific parameters. This is invaluable when debugging application connectivity or isolating malicious traffic.

Filtering by specific port (source or destination):

  • To find all connections to or from port 443 (HTTPS): ss -tn sport = :443 or dport = :443.
  • To find connections destined for a specific port: `ss -tn dport = :22` (this shows SSH clients connecting to the server).
  • To find connections from a specific IP: ss -tn src 192.168.1.100.
  • To find connections to a specific IP: ss -tn dst 8.8.8.8.

Combining filters:

For complex diagnostics, you can combine filters with logical operators (and, or). For instance, to find established connections on your system that are connected to port 443 of a specific subnet:

ss -tn state established dst 192.168.1.0/24:443

This is a powerful tool for security monitoring, allowing you to quickly audit outbound connections to unauthorized networks.

5. Identifying Processes and Security Auditing with `-p`

One of the most crucial features for cybersecurity professionals is the `-p` flag, which reveals the process ID (PID) and process name associated with a socket. This is the replacement for netstat -p. Using it, you can identify which application is listening on a suspicious port or which process is generating a high volume of outbound traffic.

Step-by-step guide to identify a process on port 80:
1. Run the listening command: `sudo ss -tlpn | grep :80`
2. The output will show: `LISTEN 0 128 :80 : users:((“nginx”,pid=1234,fd=6))`
3. This tells you that `nginx` with PID 1234 is listening on port 80.

Detailed process auditing:

To audit all processes with established connections, use:

sudo ss -tunp state established

This provides a comprehensive table of active connections, their local and remote addresses, and the responsible processes. If you find a process connecting to an unknown external IP, it warrants immediate investigation.

Equivalent for Windows:

While `ss` is Linux-specific, the `netstat -ano` command on Windows provides similar PID-based listening and active connection information, though it lacks the state-specific filters of ss. For advanced Windows diagnostics, `Get-1etTCPConnection` in PowerShell is the modern counterpart.

6. Monitoring UNIX Sockets for Local Application Communication

Linux systems use UNIX domain sockets for efficient Inter-Process Communication (IPC) between local applications (e.g., databases, web servers, and cache layers like Redis or Memcached). `ss` is excellent for monitoring these, which is often overlooked but critical for performance diagnostics.

Step-by-step:

  1. To list all UNIX sockets: `ss -x` or `ss -lpx` (to show listening sockets with process info).
  2. To list sockets for a specific service like MySQL: ss -lpx | grep mysql.sock.
  3. To see detailed statistics and memory info of UNIX sockets: ss -m -x.

Monitoring UNIX sockets helps diagnose issues where an application cannot connect to a local service like a database, often indicating permission issues or the service not starting properly. Seeing many connections in the `UNCONN` state for a UNIX socket can help tune application connection pools.

7. Real-Time Monitoring and Troubleshooting with `ss`

Continuous monitoring is essential for catching transient network issues. Combining `ss` with `watch` creates a real-time dashboard.

Command to monitor established connections every second:

watch -1 1 'ss -tn state established | wc -l'

This command counts the number of established connections, helping you spot sudden spikes in traffic. You can create a more detailed view:

watch -1 2 'ss -tulpn'

This refreshes every 2 seconds, showing you dynamic changes in listening and active ports—perfect for seeing if a service is binding correctly after a restart or if a port is being hijacked by another process.

Troubleshooting a slow web application:

  1. Run `ss -ti` to see internal TCP information (includes timers, retransmissions, and smoothed round-trip time).
  2. Look for lines containing `retrans` to see if there are retransmissions happening. High retransmission rates indicate packet loss or network congestion.
  3. Use `ss -tm` to view socket memory usage, which can identify if a socket is out of memory and thus failing to process data.

What Undercode Say

  • Key Takeaway 1: Efficiency and Modernization – The transition from `netstat` to `ss` is a necessary step for modern system administration. Its speed and direct kernel data access make it indispensable for real-time network diagnostics, offering a performance advantage that is critical during high-load incidents.
  • Key Takeaway 2: Security and Forensic Capabilities – `ss` is a powerful ally in the security arsenal. The ability to quickly filter by state, port, and IP, combined with PID identification (-p), allows for rapid discovery of potential backdoors, unauthorized services, and compromised processes. Regular auditing with `ss` should be a standard practice for any security-hardened environment.
  • Analysis: The cheat sheet shared by Héctor Joaquín succinctly captures the most valuable production use-cases of ss. The command `ss -tulpn` is often the first command typed on a new server to establish a baseline of what’s running. The true power, however, is unlocked when moving beyond basic listing into state filtering (state established) and port filtering (dport). For cybersecurity, the `ss -tpn` command (without the listening flag) is critical for spotting connections that should not be established, potentially indicating data exfiltration or reverse shells. As systems become more complex with microservices and containerized workloads, `ss` provides the necessary visibility to map out internal communication flows and quickly diagnose which container or service is misbehaving, all without the overhead of legacy tools.

Prediction

  • +1 The adoption of `ss` will continue to grow, becoming the universally required skill for Linux certification exams (like RHCSA and LFCS) as `netstat` is phased out, standardizing and improving network troubleshooting across the industry.
  • +1 With the rise of eBPF and other advanced monitoring tools, `ss` will likely be integrated into more sophisticated observability dashboards, providing an even richer dataset for AI-driven anomaly detection in network traffic.
  • -1 As security threats become more sophisticated, attackers may attempt to manipulate `ss` output or replace the `iproute2` toolset to hide their activities. This means that system administrators will need to rely on kernel-level monitoring (e.g., using `auditd` or eBPF) in conjunction with `ss` to maintain integrity.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: H%C3%A9ctor Joaqu%C3%ADn – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky