Linux

netstat and ss

What's listening on port 80? What connections are open? These commands tell you.

ss - The Modern Tool

ss (socket statistics) is the modern replacement for netstat.

Show All Connections

Terminal
$ss -a
(all sockets)

Listening Ports Only

Terminal
$ss -l
(listening sockets only)

TCP Connections

Terminal
$ss -t
(TCP only)

UDP Connections

Terminal
$ss -u
(UDP only)

The Useful Combo: ss -tulpn

Terminal
$ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3)) tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=2345,fd=6)) tcp LISTEN 0 128 127.0.0.1:3306 0.0.0.0:* users:(("mysqld",pid=3456,fd=33))

This is the command you'll use most:

  • t - TCP
  • u - UDP
  • l - Listening
  • p - Show process name
  • n - Numeric (don't resolve names)

Remember: tulpn

ss -tulpn - "What's listening and what process owns it?" You'll type this a hundred times.

Find What's on a Port

Terminal
$ss -tlpn | grep :80
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=2345,fd=6))

Or use sport (source port) filter:

Terminal
$ss -tlpn sport = :80
(same result)

netstat - The Classic

netstat is older but still widely used:

Terminal
$netstat -tulpn
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1234/sshd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2345/nginx

Same flags, similar output.

ss vs netstat

ss is faster and has more features. netstat might not be installed on newer systems. Learn ss, fall back to netstat on older systems.

Active Connections

Terminal
$ss -tn state established
Recv-Q Send-Q Local Address:Port Peer Address:Port 0 0 192.168.1.100:22 192.168.1.50:54321 0 0 192.168.1.100:80 203.0.113.45:12345

Shows active (established) connections.

Count Connections by State

Terminal
$ss -s
Total: 150 TCP: 75 (estab 45, closed 10, orphaned 0, timewait 20)

Good for quick health check.

Troubleshooting Scenarios

Port Already in Use

Terminal
$ss -tlpn | grep :3000
tcp LISTEN 0 511 *:3000 *:* users:(("node",pid=5678,fd=20))
$# Kill it:
$kill 5678

Check If Service Is Listening

Terminal
$ss -tlpn | grep :443
(no output = nothing on 443)

Too Many Connections?

Terminal
$ss -tn state established | wc -l
1523
Knowledge Check

Which command shows what process is listening on port 80?

Quick Reference

CommandShows
ss -tulpnListening ports + processes
ss -tTCP connections
ss -tn state establishedActive connections
ss -sConnection statistics
netstat -tulpnSame as ss (legacy)

Key Takeaways

  • ss -tulpn is your go-to (listening ports + processes)
  • Use grep :PORT to find specific ports
  • ss is modern, netstat is legacy
  • -n keeps output numeric (faster)
  • -p shows which process owns the socket

Next: remote connections with SSH.