Connection State

You can use the --query or -A query addition to dump a sockets table. The magic word autobound checks for ephemeral ports that sockets have attached themselves to. Prepare yourself for screeds of output, even on a quiet system. An abbreviated version of the output is shown in Listing 8.

You can also filter by TCP states; for instance, the following command filters for sFTP traffic:

# ss state connected dport = :sftp

Anything treated as "current" in relation to the sFTP port is displayed promptly.

You can complicate the command a little more with a boolean operator:

# ss ( sport = :ftp or dport = :http )

You can even use ss to find connections that are in a specific TCP state, including the established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen, and closing.

The TCP state parameters let you do some very powerful querying. For example, checking for FIN--WAIT--1 states lets you identify whether your application has closed its side of a connection, but a remote host has not closed its side, thus tying up your machine's precious ports:

ss -o state fin-wait-1 '( sport = \
  :ftp or sport = :http )' \
  dst 10.10.3.3/24:22

Sso It Ends

The ss utility is a powerful tool that will help you query your network in significant detail. Ss is extremely high performance for both manual and automated queries, and it requires very few keystrokes to execute common commands.

This tiny but heroic tool helps flex the muscles of any sys admin. If you want to increase the power of your admin toolkit, try practicing some of the more complex commands in your day-to-day work.