Quick take: The ss command shows network sockets and connections, replacing the older netstat. The everyday command is ss -tuln to list listening TCP and UDP ports; add -p to see which process owns each.
Introduction
The ss command (socket statistics) reports on network connections and listening ports, and it is faster than the older netstat it replaces. When you need to know what is listening on a server, which process owns a port, or whether a connection is established, ss is the tool.
This guide covers listing listening ports, finding the process behind a port, filtering by state, and the equivalent netstat commands for older systems.
Syntax
The basic syntax of the ss command is:
ss [OPTIONS] [FILTER]Common Options and Parameters
The most useful options and parameters for the ss command:
| Option | Description |
|---|---|
| -t | Show TCP sockets. |
| -u | Show UDP sockets. |
| -l | Show only listening sockets. |
| -n | Show numeric ports and addresses (do not resolve names). |
| -p | Show the process using each socket (needs sudo). |
| -a | Show all sockets (listening and established). |
| -s | Print summary statistics. |
| -4 / -6 | Limit to IPv4 or IPv6. |
Practical Examples
Real ss commands you can run today:
# List listening TCP and UDP ports (numeric)
ss -tuln
# Show which process owns each listening port
sudo ss -tulnp
# Show all established TCP connections
ss -t state established
# Find what is listening on port 80
sudo ss -tlnp 'sport = :80'
# Summary of socket statistics
ss -s
# netstat equivalent on older systems
sudo netstat -tulnpDiagnosing Port and Connection Problems
ss is the first tool to reach for when a service will not start or a connection is refused. The classic “address already in use” error means something is already bound to the port — ss finds it instantly.
# What is already listening on port 8080?
sudo ss -tlnp 'sport = :8080'
# Count connections by state (spot too many in TIME-WAIT)
ss -tan | awk '{print $1}' | sort | uniq -c
# All connections to a specific remote host
ss -tn dst 203.0.113.10Combining ss with systemctl and journalctl gives a full diagnostic loop: confirm the port is free with ss, start the service with systemctl, and read why it failed with journalctl.
Tips and Best Practices
ss -tulnpis the command to remember: TCP, UDP, listening, numeric, with process names.- On modern distributions
sshas replacednetstat; the flags are nearly identical so old habits transfer. - To find a port hog, combine with grep:
sudo ss -tulnp | grep :443.
Final Thoughts
ss is the fast, modern way to see what is happening on your network sockets — which ports are open, what is listening, and which process is responsible. Learn ss -tuln and add -p for process names, and you can diagnose “address already in use” errors and audit open ports in seconds. It complements ip for a complete networking toolkit.
FAQ: ss Command in Linux
How do I list listening ports in Linux?+
Run ss -tuln to list listening TCP and UDP ports with numeric addresses. Add -p (with sudo) to also show the owning process.
How do I find which process is using a port?+
Use sudo ss -tulnp and look at the Process column, or filter with sudo ss -tlnp 'sport = :8080' to target a specific port.
What is the difference between ss and netstat?+
ss is the modern, faster replacement for netstat and reads socket information more directly from the kernel. The flags are nearly identical, so ss -tuln matches netstat -tuln.
How do I see all active connections?+
Use ss -a for every socket, or ss -t state established to list only established TCP connections.
Why does ss not show the process name?+
Reading the process that owns a socket requires privileges. Run ss with sudo (sudo ss -tulnp) to reveal the process column.
Need help with Linux servers or infrastructure?
Work directly with Muhammad Irfan Aslam for Linux, Ubuntu, Docker, DevOps, cloud, CI/CD, or infrastructure support.
Hire Me for Support