Netstat, SS and RHEL 7 / CentOS

The netstat command no longer exists in default installation of CentOS / RHEL 7. It is now replaced with ss command.

The ss command is used to show socket statistics. It can display stats for PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets, and more. It allows showing information similar to netstat command. It can display more TCP and state information than other tools. It is a new, incredibly useful and faster (as compare to netstat) tool for tracking TCP connections and sockets. SS can provide information about:

  • All TCP sockets.
  • All UDP sockets.
  • All established ssh / ftp / http / https connections.
  • All local processes connected to X server.
  • Filtering by state (such as connected, synchronized, SYN-RECV, SYN-SENT,TIME-WAIT), addresses and ports.
  • All the tcp sockets in state FIN-WAIT-1 and much more.

Most Linux distributions are shipped with ss and many monitoring tools. Being familiar with this tool helps enhance your understand of what’s going on in the system sockets and helps you find the possible causes of a performance problem.

Task: Display Sockets Summary

List currently established, closed, orphaned and waiting TCP sockets, enter:
# ss -s
Sample Output:

Task: Display All Open Network Ports

# ss -l
Sample Output:

Type the following to see process named using open socket:
# ss -pl
Find out who is responsible for opening socket / port # 4949:
# ss -lp | grep 4949
Sample output:

munin-node (PID # 3772) is responsible for opening port # 4949. You can get more information about this process (like memory used, users, current working directory and so on) visiting /proc/3772 directory:
# cd /proc/3772
# ls -l

Task: Display All TCP Sockets

# ss -t -a

Task: Display All UDP Sockets

# ss -u -a

Task: Display All RAW Sockets

# ss -w -a

Task: Display All UNIX Sockets

# ss -x -a

Task: Display All Established SMTP Connections

# ss -o state established '( dport = :smtp or sport = :smtp )'

Task: Display All Established HTTP Connections

# ss -o state established '( dport = :http or sport = :http )'

Task: Find All Local Processes Connected To X Server

# ss -x src /tmp/.X11-unix/*

Task: List All The Tcp Sockets in State FIN-WAIT-1

List all the TCP sockets in state -FIN-WAIT-1 for our httpd to network 202.54.1/24 and look at their timers:
# ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 202.54.1/24

How do I filter Sockets using TCP states?

The syntax is as follows:

Where FILTER-NAME-HERE can be any one of the following,

  1. established
  2. syn-sent
  3. syn-recv
  4. fin-wait-1
  5. fin-wait-2
  6. time-wait
  7. closed
  8. close-wait
  9. last-ack
  10. listen
  11. closing
  12. all : All of the above states
  13. connected : All the states except for listen and closed
  14. synchronized : All the connected states except for syn-sent
  15. bucket : Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
  16. big : Opposite to bucket state.


Type the following command to see closing sockets:

How do I match remote address and port numbers?

Use the following syntax:

Find out connection made by remote to our local virtual servers:
# ss dst
Sample outputs:

How do I match local address and port numbers?

How do I compare local and/or remote port to a number?

Use the following syntax:

Where OP can be one of the following:

  1. <= or le : Less than or equal to port
  2. >= or ge : Greater than or equal to port
  3. == or eq : Equal to port
  4. != or ne : Not equal to port
  5. < or gt : Less than to port
  6. > or lt : Greater than to port
  7. Note: le, gt, eq, ne etc. are use in unix shell and are accepted as well.


ss command options summary