Show List of Listening Services in Linux using ss

Posted on

In this article, monitoring listening services available in an operating system which is in this context is Linux distribution can be done by executing ‘ss’ command. It is quite similar with ‘netstat’ but ‘ss’ command specifically focus on sockets investigation. This command itself can be assumed as the abbreviation of ‘socket statistics’ to make it easy to be remembered.

Since normally a service started is bound to a certain socket which is representing the local endpoint communication which is used to listen incoming request and pass through to the corresponding service.

Below is an example of the command pattern of ‘ss’ which can be shown as follows :

ss -tulpn
Description : 
ss : It is a command representing utility used to investigate sockets 
-t : It is an additional parameter for the 'ss' command used to add filter for the output for displaying TCP sockets. 
-u : It is an additional parameter for the 'ss' command used to add filter for the output for displaying UDP sockets. 
-l : It is an additional parameter for the 'ss' command used to add filter for the output for displaying only listening  sockets. 
-p : It is an additional parameter for the 'ss' command used to add filter for the output for displaying process associated with the sockets displayed. 
-n : It is an additional parameter for the 'ss' command used to add filter for the output in a numeric format. 

The example of the command’s execution is shown as follows :

root@hostname:/opt# ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:49994 *:* users:(("monetdbd",pid=1552,fd=22))
udp UNCONN 0 0 *:50000 *:* users:(("monetdbd",pid=1552,fd=20))
udp UNCONN 0 0 *:33767 *:* users:(("rpc.mountd",pid=1291,fd=16))
udp UNCONN 0 0 *:5353 *:* users:(("chromium-browse",pid=20149,fd=106))
udp UNCONN 0 0 *:5353 *:* users:(("avahi-daemon",pid=998,fd=12))
udp UNCONN 0 0 192.168.1.130:55014 *:* users:(("dleyna-server-s",pid=9088,fd=16))
udp UNCONN 0 0 *:42770 *:*
udp UNCONN 0 0 192.168.122.1:46941 *:* users:(("dleyna-server-s",pid=9088,fd=22))
udp UNCONN 0 0 239.255.255.250:1900 *:* users:(("dleyna-server-s",pid=9088,fd=24))
udp UNCONN 0 0 192.168.1.100:1900 *:* users:(("dleyna-server-s",pid=9088,fd=23))
udp UNCONN 0 0 239.255.255.250:1900 *:* users:(("dleyna-server-s",pid=9088,fd=21))
udp UNCONN 0 0 192.168.122.1:1900 *:* users:(("dleyna-server-s",pid=9088,fd=20))
udp UNCONN 0 0 239.255.255.250:1900 *:* users:(("dleyna-server-s",pid=9088,fd=18))
udp UNCONN 0 0 172.17.0.1:1900 *:* users:(("dleyna-server-s",pid=9088,fd=17))
udp UNCONN 0 0 239.255.255.250:1900 *:* users:(("dleyna-server-s",pid=9088,fd=15))
udp UNCONN 0 0 192.168.1.130:1900 *:* users:(("dleyna-server-s",pid=9088,fd=14))
udp UNCONN 0 0 239.255.255.250:1900 *:* users:(("dleyna-server-s",pid=9088,fd=12))
udp UNCONN 0 0 127.0.0.1:1900 *:* users:(("dleyna-server-s",pid=9088,fd=11))
udp UNCONN 0 0 *:2049 *:*
udp UNCONN 0 0 192.168.1.100:51365 *:* users:(("dleyna-server-s",pid=9088,fd=25))
udp UNCONN 0 0 172.17.0.1:60352 *:* users:(("dleyna-server-s",pid=9088,fd=19))
udp UNCONN 0 0 127.0.0.1:11211 *:* users:(("memcached",pid=1250,fd=30),("memcached",pid=1250,fd=29),("memcached",pid=1250,fd=28),("memcached",pid=1250,fd=27))
udp UNCONN 0 0 *:52485 *:* users:(("rpc.mountd",pid=1291,fd=12))
udp UNCONN 0 0 *:44369 *:* users:(("avahi-daemon",pid=998,fd=14))
udp UNCONN 0 0 127.0.0.1:32795 *:* users:(("dleyna-server-s",pid=9088,fd=13))
udp UNCONN 0 0 127.0.1.1:53 *:* users:(("dnsmasq",pid=28139,fd=4))
udp UNCONN 0 0 192.168.122.1:53 *:* users:(("dnsmasq",pid=2313,fd=5))
udp UNCONN 0 0 *%virbr0:67 *:* users:(("dnsmasq",pid=2313,fd=3))
udp UNCONN 0 0 *:68 *:* users:(("dhclient",pid=5321,fd=6))
udp UNCONN 0 0 *:68 *:* users:(("dhclient",pid=5307,fd=6))
udp UNCONN 0 0 *:111 *:* users:(("rpcbind",pid=947,fd=6))
udp UNCONN 0 0 192.168.1.100:123 *:* users:(("ntpd",pid=5841,fd=20))
udp UNCONN 0 0 192.168.1.130:123 *:* users:(("ntpd",pid=5841,fd=19))
udp UNCONN 0 0 127.0.0.1:123 *:* users:(("ntpd",pid=5841,fd=18))
udp UNCONN 0 0 *:123 *:* users:(("ntpd",pid=5841,fd=17))
udp UNCONN 0 0 192.168.1.255:137 *:* users:(("nmbd",pid=2110,fd=36))
udp UNCONN 0 0 192.168.1.130:137 *:* users:(("nmbd",pid=2110,fd=35))
udp UNCONN 0 0 192.168.1.255:137 *:* users:(("nmbd",pid=2110,fd=24))
udp UNCONN 0 0 192.168.1.100:137 *:* users:(("nmbd",pid=2110,fd=23))
udp UNCONN 0 0 192.168.122.255:137 *:* users:(("nmbd",pid=2110,fd=28))
udp UNCONN 0 0 192.168.122.1:137 *:* users:(("nmbd",pid=2110,fd=27))
udp UNCONN 0 0 172.17.255.255:137 *:* users:(("nmbd",pid=2110,fd=19))
udp UNCONN 0 0 172.17.0.1:137 *:* users:(("nmbd",pid=2110,fd=18))
udp UNCONN 0 0 *:137 *:* users:(("nmbd",pid=2110,fd=16))
udp UNCONN 0 0 192.168.1.255:138 *:* users:(("nmbd",pid=2110,fd=38))
udp UNCONN 0 0 192.168.1.130:138 *:* users:(("nmbd",pid=2110,fd=37))
udp UNCONN 0 0 192.168.1.255:138 *:* users:(("nmbd",pid=2110,fd=26))
udp UNCONN 0 0 192.168.1.100:138 *:* users:(("nmbd",pid=2110,fd=25))
udp UNCONN 0 0 192.168.122.255:138 *:* users:(("nmbd",pid=2110,fd=30))
udp UNCONN 0 0 192.168.122.1:138 *:* users:(("nmbd",pid=2110,fd=29))
udp UNCONN 0 0 172.17.255.255:138 *:* users:(("nmbd",pid=2110,fd=21))
udp UNCONN 0 0 172.17.0.1:138 *:* users:(("nmbd",pid=2110,fd=20))
udp UNCONN 0 0 *:138 *:* users:(("nmbd",pid=2110,fd=17))
udp UNCONN 0 0 *:45314 *:* users:(("rpc.mountd",pid=1291,fd=8))
udp UNCONN 0 0 *:631 *:* users:(("cups-browsed",pid=1142,fd=8))
udp UNCONN 0 0 *:699 *:* users:(("rpcbind",pid=947,fd=7))
udp UNCONN 0 0 :::46283 :::* users:(("rpc.mountd",pid=1291,fd=18))
udp UNCONN 0 0 :::5353 :::* users:(("avahi-daemon",pid=998,fd=13))
udp UNCONN 0 0 :::51118 :::* users:(("rpc.mountd",pid=1291,fd=14))
udp UNCONN 0 0 :::2049 :::*
udp UNCONN 0 0 :::43520 :::* users:(("rpc.mountd",pid=1291,fd=10))
udp UNCONN 0 0 :::35714 :::* users:(("avahi-daemon",pid=998,fd=15))
udp UNCONN 0 0 :::52906 :::*
udp UNCONN 0 0 :::111 :::* users:(("rpcbind",pid=947,fd=9))
udp UNCONN 0 0 fe80::2e0:4cff:fe53:4458%eth0:123 :::* users:(("ntpd",pid=5841,fd=25))
udp UNCONN 0 0 fe80::5e51:4fff:fe70:2e07%wlan0:123 :::* users:(("ntpd",pid=5841,fd=24))
udp UNCONN 0 0 fd08:63aa:7554:1:5e51:4fff:fe70:2e07:123 :::* users:(("ntpd",pid=5841,fd=23))
udp UNCONN 0 0 fd08:63aa:7554:1:253a:93f6:e0c9:b89e:123 :::* users:(("ntpd",pid=5841,fd=22))
udp UNCONN 0 0 ::1:123 :::* users:(("ntpd",pid=5841,fd=21))
udp UNCONN 0 0 :::123 :::* users:(("ntpd",pid=5841,fd=16))
udp UNCONN 0 0 :::699 :::* users:(("rpcbind",pid=947,fd=10))
tcp LISTEN 0 80 127.0.0.1:3306 *:* users:(("mysqld",pid=29067,fd=18))
tcp LISTEN 0 50 *:139 *:* users:(("smbd",pid=2296,fd=37))
tcp LISTEN 0 128 127.0.0.1:6379 *:* users:(("redis-server",pid=1385,fd=4))
tcp LISTEN 0 128 127.0.0.1:11211 *:* users:(("memcached",pid=1250,fd=26))
tcp LISTEN 0 128 *:111 *:* users:(("rpcbind",pid=947,fd=8))
tcp LISTEN 0 5 *:50000 *:* users:(("monetdbd",pid=1552,fd=18))
tcp LISTEN 0 128 *:58324 *:* users:(("rpc.mountd",pid=1291,fd=9))
tcp LISTEN 0 5 127.0.1.1:53 *:* users:(("dnsmasq",pid=28139,fd=5))
tcp LISTEN 0 5 192.168.122.1:53 *:* users:(("dnsmasq",pid=2313,fd=6))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1248,fd=3))
tcp LISTEN 0 5 127.0.0.1:631 *:* users:(("cupsd",pid=8790,fd=11))
tcp LISTEN 0 5 127.0.0.1:3128 *:* users:(("cntlm",pid=1515,fd=4))
tcp LISTEN 0 128 127.0.0.1:5432 *:* users:(("postgres",pid=1128,fd=6))
tcp LISTEN 0 100 *:25 *:* users:(("master",pid=3261,fd=12))
tcp LISTEN 0 128 *:5433 *:* users:(("postgres",pid=1247,fd=6))
tcp LISTEN 0 50 *:445 *:* users:(("smbd",pid=2296,fd=36))
tcp LISTEN 0 128 *:42688 *:* users:(("rpc.mountd",pid=1291,fd=13))
tcp LISTEN 0 64 *:2049 *:*
tcp LISTEN 0 5 *:5666 *:* users:(("nrpe",pid=1581,fd=4))
tcp LISTEN 0 64 *:39043 *:*
tcp LISTEN 0 128 *:55683 *:* users:(("rpc.mountd",pid=1291,fd=17))
tcp LISTEN 0 128 127.0.0.1:27017 *:* users:(("mongod",pid=1474,fd=8))
tcp LISTEN 0 50 :::139 :::* users:(("smbd",pid=2296,fd=35))
tcp LISTEN 0 128 :::6379 :::* users:(("redis-server",pid=1516,fd=4))
tcp LISTEN 0 128 :::53291 :::* users:(("rpc.mountd",pid=1291,fd=11))
tcp LISTEN 0 128 :::51758 :::* users:(("rpc.mountd",pid=1291,fd=19))
tcp LISTEN 0 128 :::111 :::* users:(("rpcbind",pid=947,fd=11))
tcp LISTEN 0 128 :::80 :::* users:(("/usr/sbin/apach",pid=7124,fd=4),("/usr/sbin/apach",pid=7123,fd=4),("/usr/sbin/apach",pid=7122,fd=4),("/usr/sbin/apach",pid=7121,fd=4),("/usr/sbin/apach",pid=7120,fd=4),("/usr/sbin/apach",pid=1966,fd=4))
tcp LISTEN 0 128 :::56432 :::* users:(("rpc.mountd",pid=1291,fd=15))
tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=1248,fd=4))
tcp LISTEN 0 5 ::1:631 :::* users:(("cupsd",pid=8790,fd=10))
tcp LISTEN 0 100 :::25 :::* users:(("master",pid=3261,fd=13))
tcp LISTEN 0 128 :::5433 :::* users:(("postgres",pid=1247,fd=7))
tcp LISTEN 0 128 :::443 :::* users:(("/usr/sbin/apach",pid=7124,fd=6),("/usr/sbin/apach",pid=7123,fd=6),("/usr/sbin/apach",pid=7122,fd=6),("/usr/sbin/apach",pid=7121,fd=6),("/usr/sbin/apach",pid=7120,fd=6),("/usr/sbin/apach",pid=1966,fd=6))
tcp LISTEN 0 50 :::445 :::* users:(("smbd",pid=2296,fd=34))
tcp LISTEN 0 64 :::2049 :::*
tcp LISTEN 0 5 :::5666 :::* users:(("nrpe",pid=1581,fd=5))
tcp LISTEN 0 64 :::46280 :::*
root@hostname:/opt#

This is sample of the reading taken from several parts of the command’s output above :

tcp LISTEN 0 128 :::80 :::* users:(("/usr/sbin/apach",pid=7124,fd=4),("/usr/sbin/apach",pid=7123,fd=4),("/usr/sbin/apach",pid=7122,fd=4),("/usr/sbin/apach",pid=7121,fd=4),("/usr/sbin/apach",pid=7120,fd=4),("/usr/sbin/apach",pid=1966,fd=4))

The above output’s command can be specified as follows :

The first column, Netid is filled with tcp which means the Identifier of the Socket is tcp associated with TCP socket.

The second column, State is filled with LISTEN. It means that the socket is in a listening state.

The third and fourth column represented each for the bytes of data queued to be received (Recv-Q) by the socket and also for the bytes of data queued to be sent (Send-Q) by the socket.

We can memorize it by reading the column identifier Recv-Q as the abbreviation stands for Received in a Queue. The one which are going to be received will be bytes of data through the socket. The other thing is Send-Q also can be memorized as an abbreviation for Send in a Queue. It is symbolizing bytes of data in which is going to be sent through the socket.

The next column is representing the Local Address and also the port where the socket resides. In this context, although the port is already set in port 80, this symbol ::: means that the socket used is listening in all active network interface adapters exist in the host, workstation or server.

The next column after is representing the Foreign Address and the port associated with the port. It is the counterpart of the address and also the socket which can be attached with the local one. The symbol :::* represent that the connection can be made from anywhere and from any port.

The last column is representing the program name and also the Process ID of the program which is currently running. In the above output, the program is located at /usr/bin/apache and holds the Process ID of 7122 currently.

The fd is actually stands for file descriptor or can be assumed as the abbreviation of file descriptor. It is a file which is represented socket used as shown in /proc/$PID/fd. For an example, since the Process ID is 7122 and the fd is 3, there will be a file in /proc/7122/3 if it is checked further as shown below :

root@hostname:/proc/7112/fd# ls -al | grep socket
lrwx------ 1 root root 64 Oct  8 10:39 4 -> socket:[30826]
lrwx------ 1 root root 64 Oct  8 10:39 4 -> socket:[30828]
root@hostname:/proc/7112/fd# 

Based on the command displays above, the socket number is 30826 and 30828 which is linked from file descriptor 4. So, in order to relate the socket number with the corresponding service or process running, it can be traced by typing another command as follows :

root@hostname:/proc/7112/fd# lsof -i -a -p 7112
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
/usr/sbin 7122 root    3u  IPv4  30826      0t0  TCP *:http (LISTEN)
/usr/sbin 7122 root    4u  IPv4  30828      0t0  TCP *:https (LISTEN)
root@hostname:/proc/2881/fd#

 As it can be seen in the above output, the DEVICE number field is 30826 and 30828 which is also the number of the socket device used for the service or process to listen for incoming request.

One thought on “Show List of Listening Services in Linux using ss

Leave a Reply