+3 votes
338 views
Analyze network connections with the ss command, netstat replacement

in Guides by (473k points)
reopened | 338 views

1 Answer

+4 votes
Best answer

What is that about the net-tools and the iproute2 suite?
Analyzing network connections in Linux with the ss command.
Examples of using the ss command to obtain connection information.
Examples of how to filter connections depending on the protocol (HTTP, FTP, SMTP or SSH) or depending on the port.

The other day I was writing an article that showed how to get information from the network card in Windows operating systems , something I don't usually do very often, since I generally manage Linux-based systems. This brought me the idea of "‹"‹writing an article about the analysis of network connections in Linux , but knowing that netstat will soon be replaced by ss , I have decided to directly use the ss command.

image

What is that about the net-tools and the iproute2 suite?

For those who are somewhat lost, the netstat command belongs to the net-tools network analysis tool suite, which was born in 2001. This suite was designed to work with older kernels, so in many Linux distributions it is already has replaced net-tools with the new iproute2 suite .

The iproute2 suite offers certain advantages over net-tools , in which we will not go deeper with technical details, but if we clarify that they offer better performance , they have a more intuitive use and their development is active.

As we are still in a phase of transition to iproute2, there are many distributions that include both, although in others net-tools have already been removed and the package marked as obsolete.
To make a simple tutorial, we will only focus on the use of the ss command, which is part of the iproute2 suite. This command is used to analyze network connections , since it replaces the old netstat command.

Analyzing network connections in Linux with the ss command.

The ss command refers to "Socket Statuts" and is used to obtain information about network connections, open ports and other statistics .

The most basic use is ss -a , which will display all the information of all connections on the screen. From here we can add different modifiers to obtain the information we are looking for. I recommend reading the help with the man ss command or consulting the different modifiers with the ss -h command.

Examples of using the ss command to obtain connection information.

First, if what we want is to list the connections depending on whether they use the TCP or UDP protocol , we will have to use the following commands:

  • List TCP connections: ss -ta
  • List UDP protocol connections: ss -ua

We can also filter the list based on whether they use the IPv4 or IPv6 internet protocol :

  • Connections under IPv4: ss -4
  • Connections under IPv6: ss -6

Now we are going to refine a little more and list only the connections whose status is "LISTEN" , that is, they remain listening. The most basic command in this case would be ss -l , which shows all the listening sockets, but we can combine it with other options to:

  • List TCP sockets to listen: ss -tl or we can also use the ss -t state listening command
  • List UDP sockets to listen: ss -ul or the ss -u state listening command

Sometimes I like to add the -n option to the previous commands so that the names of the services are not resolved. You can see the difference in the following image.


image

Examples of how to filter connections depending on the protocol (HTTP, FTP, SMTP or SSH) or depending on the port.

Now I am going to show you some examples to list the connections but filtering according to some of the most used protocols:

  • To list HTTP traffic : ss state established '( dport = :http or sport = :http )'
  • View active FTP protocol connections : ss state established '( dport = :ftp or sport = :ftp )'
  • List active connections SMTP : ss state established '( dport= :smtp or sport= :smtp )'
  • See if there are SSH connections : ss state established '( dport = :ssh or sport = :ssh )'

Within this section I must add the possibility to list the connections depending on the port , for example we can use ss -nt dst :80 to list the connections whose destination port is port 80. When what we want to list are the connections whose port The source is 80, we will use the ss -nt src :80 command.

We can monitor several ports simultaneously , for example with the ss -nt '( dst :443 or dst :80 )' command.

Finally, add a little trick that involves using ss conjunction with the watch command, to monitor connections in real time. We could use for example: watch ss -ta

I hope this little tutorial has helped you and serves as a starting point to solve a connection problem, monitor your servers connections, etc.


by (3m points)

Related questions

+3 votes
1 answer
+4 votes
1 answer
+3 votes
1 answer
+5 votes
1 answer
+3 votes
1 answer
9,074 questions
9,177 answers
416 comments
2 users