SS Command Builder - Interactive Socket Statistics Tool
Meta Information
Title Tag: SS Command Builder | Interactive Linux Socket Statistics Generator Meta Description: Build ss commands visually with our interactive generator. Monitor network connections, filter by port/state, and investigate sockets faster than netstat. Free Linux network tool. Keywords: ss command generator, socket statistics tool, linux ss tutorial, ss vs netstat, network connection monitor, tcp socket filter, listening ports scanner, ss tlnp command
Structured Data (JSON-LD)
{
"@context": "https://schema.org",
"@type": "WebApplication",
"name": "SS Command Builder",
"description": "Interactive visual builder for Linux ss socket statistics commands",
"applicationCategory": "DeveloperApplication",
"operatingSystem": "Linux, macOS, Unix",
"offers": {
"@type": "Offer",
"price": "0",
"priceCurrency": "USD"
},
"featureList": [
"Visual ss command generation",
"Protocol filtering (TCP/UDP/Unix)",
"Connection state filtering",
"Port and address filtering",
"Process information display",
"Socket summary statistics"
]
}Main Content
What is the SS Command?
The ss (socket statistics) command is a modern Linux utility for investigating network sockets and TCP/IP connections [^39^]. It has replaced the deprecated netstat command on most Linux distributions because it is significantly faster and more feature-rich [^31^][^33^].
Why SS is Faster: Unlike netstat, which reads and parses large text files from the /proc filesystem, ss communicates directly with the Linux kernel via the netlink socket - an efficient binary protocol that provides faster data retrieval [^32^].
Common Use Cases:
- Identify which processes are listening on specific ports
- Monitor active network connections and their states
- Troubleshoot connection issues (TIME_WAIT, CLOSE_WAIT)
- Investigate suspicious network activity
- Analyze socket memory usage and performance
- Filter connections by protocol, port, or address
Why Use This SS Command Builder?
Building ss commands requires understanding complex filtering syntax. Our visual builder helps you:
- ✅ Generate commands without memorizing filter expressions
- ✅ Understand TCP connection states and their meanings
- ✅ Copy production-ready commands instantly
- ✅ Learn socket monitoring through interactive examples
Core Features
1. Protocol Selection
Filter sockets by network protocol:
- TCP sockets (-t): Display transmission control protocol connections [^32^]
- UDP sockets (-u): Display user datagram protocol sockets [^38^]
- Unix sockets (-x): Display local inter-process communication [^35^]
- Raw sockets (-w): Display low-level protocol access [^38^]
- Packet sockets (-0): Display packet-level information [^35^]
2. Socket State Filtering
Investigate connections by their current state [^31^][^36^]:
- Listening (-l): Show only listening sockets awaiting connections
- Established: Active connections currently communicating
- Time-Wait: Connections waiting for timeout (potential port exhaustion)
- Close-Wait: Remote side closed, local application hasn't [^31^]
- Syn-Sent/Syn-Recv: Connection handshake in progress
- Fin-Wait/Close: Connection termination states
3. Address and Port Filtering
Powerful filtering capabilities [^35^]:
- By destination:
ss dst 192.168.1.100- connections to specific IP - By source:
ss src 10.0.0.0/24- connections from subnet - By destination port:
ss dport = :443- HTTPS connections - By source port:
ss sport = :22- SSH connections - Port ranges:
ss dport ge :8000 and dport le :9000
4. Output Information Control
Customize displayed information:
- Numeric mode (-n): Show IP addresses instead of hostnames [^31^]
- Process info (-p): Display PID and process name using socket [^36^]
- Extended info (-e): Show detailed socket information including user [^32^]
- Timer info (-o): Display TCP timer information (retransmit, keepalive) [^31^]
- Memory usage (-m): Show socket memory consumption [^36^]
- Internal TCP info (-i): Display congestion control algorithm [^36^]
Common SS Command Patterns
Basic Socket Monitoring
# Show all TCP connections (default behavior)
ss
# Show all sockets (listening and non-listening)
ss -a
# Show listening sockets only
ss -l
# The most common command: listening TCP with process info
ss -tlnpProtocol-Specific Inspection
# Show only TCP sockets
ss -t
# Show only UDP sockets
ss -u
# Show both TCP and UDP
ss -t -u
# Show only IPv4 sockets
ss -4
# Show only IPv6 sockets
ss -6
# Show Unix domain sockets
ss -xFinding Listening Services
# What's listening on port 80?
sudo ss -tlnp | grep :80
# Find process using port 8080
sudo ss -tlnp sport = :8080
# Show all listening TCP and UDP with processes
sudo ss -tulnpConnection State Analysis
# Show established connections only
ss -t state established
# Show connections in TIME-WAIT (check for port exhaustion)
ss -t state time-wait
# Show CLOSE-WAIT connections (potential resource leaks)
ss -t state close-wait
# Count connections by state
ss -t -a | awk '{print $1}' | sort | uniq -c | sort -rnAdvanced Filtering
# Connections to specific IP
ss -tn dst 192.168.1.100
# Connections from specific subnet
ss -tn src 10.0.0.0/24
# HTTPS connections established
ss -tn state established dport = :443
# SSH connections from specific IP
ss -tn src 203.0.113.50 sport = :22
# All connections except SSH
ss -tn 'not dport = :22 and not sport = :22'Socket Statistics and Summary
# Summary statistics
ss -s
# Show timer information
ss -to
# Show socket memory usage
ss -tm
# Show extended information
ss -teSS Output Fields Explained
Standard Output Columns [^38^]
| Field | Description |
|---|---|
| Netid | Socket type (tcp, udp, u_str, icmp6) |
| State | Connection state (ESTAB, LISTEN, TIME-WAIT) |
| Recv-Q | Received packets in queue waiting to be read |
| Send-Q | Packets in queue waiting to be sent |
| Local Address | Local system IP address and port |
| Peer Address | Remote system IP address and port |
| Process | Process name and PID (with -p option) |
Socket States Reference [^31^][^36^]
| State | Description |
|---|---|
| ESTAB | Established - active connection |
| SYN-SENT | SYN sent, waiting for SYN-ACK |
| SYN-RECV | SYN received, sent SYN-ACK |
| FIN-WAIT-1 | FIN sent, waiting for ACK/FIN |
| FIN-WAIT-2 | ACK received, waiting for FIN |
| TIME-WAIT | Waiting for timeout (2MSL) |
| CLOSE | Connection closed |
| CLOSE-WAIT | Remote closed, local not yet |
| LAST-ACK | FIN sent, waiting for final ACK |
| LISTEN | Waiting for incoming connections |
| CLOSING | Both sides closing simultaneously |
SS Command Options Reference
Protocol Filters
| Option | Description |
|---|---|
| -t, --tcp | TCP sockets only [^32^] |
| -u, --udp | UDP sockets only [^38^] |
| -S, --sctp | SCTP sockets only [^38^] |
| -w, --raw | Raw sockets [^35^] |
| -x, --unix | Unix domain sockets [^35^] |
| -4, --ipv4 | IPv4 sockets only [^40^] |
| -6, --ipv6 | IPv6 sockets only [^40^] |
State and Selection Filters
| Option | Description |
|---|---|
| -a, --all | All sockets (listening and non-listening) [^38^] |
| -l, --listening | Listening sockets only [^31^] |
| state <state> | Filter by TCP state [^31^] |
| dst <addr> | Filter by destination address [^35^] |
| src <addr> | Filter by source address [^35^] |
| dport <op> <port> | Filter by destination port [^31^] |
| sport <op> <port> | Filter by source port [^35^] |
Output Modifiers
| Option | Description |
|---|---|
| -n, --numeric | Don't resolve service names [^31^] |
| -r, --resolve | Resolve hostnames [^38^] |
| -p, --processes | Show process information [^36^] |
| -e, --extended | Show detailed socket info [^32^] |
| -o, --options | Show timer information [^31^] |
| -m, --memory | Show socket memory usage [^36^] |
| -i, --info | Show internal TCP info [^36^] |
| -s, --summary | Show summary statistics [^38^] |
| -H, --no-header | Suppress header line [^38^] |
Comparison Operators for Ports
| Operator | Description |
|---|---|
| = or == | Equal to |
| != | Not equal to |
| < or lt | Less than |
| > or gt | Greater than |
| <= or le | Less than or equal |
| >= or ge | Greater than or equal |
SS vs Netstat Comparison
| Task | Netstat | SS |
|---|---|---|
| Listening TCP | netstat -tlnp | ss -tlnp [^33^] |
| All connections | netstat -an | ss -an [^33^] |
| Statistics | netstat -s | ss -s [^33^] |
| Filter by state | Complex grep/awk | ss state established [^34^] |
| Filter by port | grep | ss dport = [^34^] |
| Performance | Slower (reads /proc) | Faster (netlink socket) [^32^] |
| Memory usage | High with many connections | Constant, efficient [^37^] |
FAQ
What is the difference between ss and netstat?
The ss command is the modern replacement for netstat. It is significantly faster and more efficient because it communicates directly with the kernel via netlink socket instead of parsing /proc files [^32^][^33^]. SS also provides more powerful filtering capabilities and detailed socket information [^34^].
What does ss -tlnp do?
This is the most common ss command combination: -t shows TCP sockets, -l shows only listening sockets, -n displays numeric addresses (no DNS resolution), and -p shows which processes are using the sockets [^31^]. It's the go-to command for finding what services are running on which ports.
How do I check which process is using a specific port?
Use sudo ss -tlnp | grep :PORT or more specifically sudo ss -tlnp sport = :PORT [^31^]. The -p flag requires elevated privileges to see all process information.
What does TIME-WAIT state mean?
TIME-WAIT is a normal TCP state where a connection has been closed but the socket waits to ensure any delayed packets are handled properly [^31^]. High numbers of TIME-WAIT connections can indicate port exhaustion issues on busy servers.
What is CLOSE-WAIT and why should I worry about it?
CLOSE-WAIT means the remote side has closed the connection, but your local application hasn't properly closed its end [^31^]. Accumulating CLOSE-WAIT connections usually indicates an application bug where the program isn't releasing resources properly.
How do I filter connections by IP address?
Use ss dst IP_ADDRESS for destination filtering or ss src IP_ADDRESS for source filtering [^35^]. You can also use CIDR notation like ss src 192.168.1.0/24 [^31^].
Can I see connection statistics with ss?
Yes, use ss -s to get summary statistics showing counts of TCP, UDP, and other sockets in various states [^38^]. This is much faster than parsing netstat output with awk [^33^].
How do I monitor connections in real-time?
While ss shows a static snapshot, you can wrap it in watch: watch -n 2 'ss -t state established' [^31^]. For continuous monitoring, consider using tools like nettop or iftop.
Technical Specifications
- Zero dependencies: Runs entirely in browser
- No backend required: Static hosting compatible
- Offline capable: Works without internet after initial load
- Privacy focused: No data leaves your browser
- Keyboard shortcuts: Full keyboard navigation support
Related Tools
- netstat Command Reference
- lsof Network Connections
- tcpdump Packet Analyzer
- netcat Port Scanner
- lsof Open Files
- iptables Rule Builder
Resources
- ss(8) Linux Manual Page [^39^]
- Red Hat SS Command Guide [^40^]
- DigitalOcean SS Tutorial [^31^]
- GeeksforGeeks SS Guide [^32^]
Last Updated: 2025 License: Free to use Platform: Web-based, works on all modern browsers