Using the ss command to view active and established connections

on linux, networking, troubleshooting

The command known as ss which stands for socket statistics. It is used for listing listening and established connections and to find out which processes and users are associated with them.

Finding all outbound connections to a particular port

ss -t -o 'dport = :ssh' --resolve | 
awk '{print $4,$5,%6}'

desktop:42444 websrv1:ssh timer:(keepalive,61min,0)
desktop:58600 websrv1:ssh timer:(keepalive,36min,0)
desktop:56194 virt1:ssh   timer:(keepalive,117min,0)

Finding all inbound connections to a particular listening port.

Remembering that the local side is always on the left,
we can see that .6 has a current ssh session

ss --no-header -t -r 'sport = ssh' |
awk '{print $4,$5}'

10.4.20.3:ssh 10.4.20.6:53338

We can see additional information about the keep alive timers by using the -o option.

ss -t --no-header 'sport = ssh' -o | 
awk '{print $4,$5,$6}'

10.73.1.3:ssh 10.73.1.6:53338 timer:(keepalive,102min,0)

Listing all established TCP connections

Getting a listing of every established TCP connection, along with the user-process, pid, and fd associated with it.

sudo ss \
 --no-header \
 --tcp -4 \
 --processes \
 -o state established 

0      0       10.4.20.3:53464                192.30.253.124:https                 users:(("firefox",pid=5677,fd=175)) timer:(keepalive,1min54sec,0)
0      0       10.4.20.3:48870                192.30.253.124:https                 users:(("firefox",pid=5677,fd=141)) timer:(keepalive,8min41sec,0)
0      0       10.4.20.3:48448                192.30.253.124:https                 users:(("firefox",pid=5677,fd=125)) timer:(keepalive,5min50sec,0)
0      0       10.4.20.3:53316                192.30.253.124:https                 users:(("firefox",pid=5677,fd=258)) timer:(keepalive,5min55sec,0)

Let's try make the output easier to parse

sudo ss --no-header --tcp -4 --processes -o state established | (tr --delete "()" | sed s/'users:'// |awk '{print $3,$4,$5}' | unexpand);

10.4.20.3:46174 192.30.253.25:https "firefox",pid=5677,fd=219
10.4.20.3:48780 192.30.253.134:https "firefox",pid=5677,fd=118
10.4.20.3:44782 192.30.253.124:https "firefox",pid=5677,fd=260

Generating JSON

sudo ss --no-header --tcp -4 --processes -o state established | (tr --delete "()" | sed s/'users:'// |awk '{print $3,$4,$5}' | column -t --table-columns local,peer,process --table-name "established tcp connections on $(hostname --short)" --json) | jq;


{
  "established tcp connections on desktop": [
    {
      "local": "10.4.20.3:53464",
      "peer": "192.30.253.124:https",
      "process": "\"firefox\",pid=5677,fd=175"
    },
    {
      "local": "10.4.20.3:44782",
      "peer": "192.30.253.124:https",
      "process": "\"firefox\",pid=5677,fd=260"
    },
    {
      "local": "10.4.20.3:42774",
      "peer": "192.30.253.124:https",
      "process": "\"firefox\",pid=5677,fd=149"
    },
    {
      "local": "10.4.20.3:44910",
      "peer": "192.30.253.124:https",
      "process": "\"firefox\",pid=5677,fd=185"
    },
    {
      "local": "10.4.20.3:46044",
      "peer": "198.252.206.25:https",
      "process": "\"firefox\",pid=5677,fd=80"
    }
  ]
}

Here are some bashrc aliases i have:

Get-ListeningTCP

sudo ss --listening --tcp \
        --numeric   --processes |
column -t

Get-ListeningUDP

sudo ss --listening --tcp \
        --numeric   --processes |
column -t

Get-EstablishedAll

sudo ss --options state established --ipv4 \
        --resolve --processes | 
column -T

Get-EstablishedHTTP
This will most likely be what sites you are connecting to, but if you're a webserver, it will show established inbound connections

sudo ss --options state established --ipv4 \
         --resolve --processes \
'( dport = :http or sport = :http or dport = :https or sport = :https )'

Get-EstablishedSSH

sudo ss --options state established '( dport = :ssh or sport = :ssh)' | column --table"