Active network connections reveal which local services are reachable and which processes are currently talking to remote endpoints, helping isolate misconfigurations and spot unexpected activity during troubleshooting or incident response.
Linux maintains socket state in the kernel for TCP, UDP, and UNIX traffic. The ss utility reads these tables and can display listeners, established sessions, queue depth, and owning process IDs so open ports can be mapped back to the responsible binaries.
Process-to-socket mapping is often restricted without root privileges, so commands that include PID and program names typically require sudo. Numeric output avoids slow or misleading name resolution, and short-lived connections can appear and disappear between runs, making repeated checks useful when investigating bursts.
Related: How to investigate a Linux intrusion
Related: How to list open ports on Linux
Steps to check active network connections with ss in Linux:
- List listening ports and owning processes.
$ sudo ss -tulpn Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=8515,fd=16)) udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=8515,fd=14)) udp UNCONN 0 0 192.0.2.40%eth0:68 0.0.0.0:* users:(("systemd-network",pid=529,fd=18)) tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=8515,fd=17)) tcp LISTEN 0 4096 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=2952,fd=3),("systemd",pid=1,fd=129)) tcp LISTEN 0 5 127.0.0.1:9000 0.0.0.0:* users:(("python3",pid=9163,fd=3)) tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=8515,fd=15)) tcp LISTEN 0 4096 [::]:22 [::]:* users:(("sshd",pid=2952,fd=4),("systemd",pid=1,fd=130))Sockets in LISTEN state on 0.0.0.0 or [::] accept traffic on all interfaces, while 127.0.0.1 is local-only.
- Summarize current socket counts by protocol and state.
$ sudo ss -s Total: 184 TCP: 9 (estab 3, closed 0, orphaned 1, timewait 0) Transport Total IP IPv6 RAW 1 0 1 UDP 3 3 0 TCP 9 8 1 INET 13 11 2 FRAG 0 0 0
A sudden rise in SYN-RECV or TIME-WAIT can indicate bursts of traffic or connection churn.
- List established TCP connections.
$ sudo ss -tpn state established Recv-Q Send-Q Local Address:Port Peer Address:Port Process 0 0 192.0.2.40:22 203.0.113.10:49829 users:(("sshd",pid=6076,fd=4),("sshd",pid=5961,fd=4)) 2444583 0 127.0.0.1:53274 127.0.0.1:9000 users:(("curl",pid=9169,fd=5)) 0 0 192.0.2.40:22 203.0.113.10:52373 users:(("sshd",pid=7713,fd=4),("sshd",pid=7657,fd=4))Local Address:Port identifies the local endpoint, while Peer Address:Port shows the remote endpoint for correlation with logs and firewall rules.
- Inspect the process owning a suspicious connection.
$ ps -fp 9163 UID PID PPID C STIME TTY TIME CMD root 9163 9161 0 05:55 ? 00:00:00 python3 -m http.server 9000 --bind 127.0.0.1 --directory /root/sg-work/net-demo
Terminating the wrong PID can drop active sessions or stop a critical service.
- Resolve the executable path for the PID reported by ss.
$ sudo readlink -f /proc/9163/exe /usr/bin/python3.12
A target ending in (deleted) can indicate the on-disk binary was removed or replaced after the process started.
- Filter the listener list to a single port when checking exposure.
$ sudo ss -tulpn | grep ':22' tcp LISTEN 0 4096 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=2952,fd=3),("systemd",pid=1,fd=129)) tcp LISTEN 0 4096 [::]:22 [::]:* users:(("sshd",pid=2952,fd=4),("systemd",pid=1,fd=130))
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
