How to list open ports on Linux

Listing open ports on Linux surfaces which services are reachable over the network, which is essential for hardening firewalls, validating service configuration, and detecting unexpected listeners. The ss utility from the iproute2 suite provides a fast, modern replacement for legacy netstat and reads socket information directly from the kernel.

The ss command queries the kernel’s netlink interface and can display sockets filtered by protocol, address family, state, address, and port. Options such as -t for TCP, -u for UDP, -l for listening sockets, and -n for numeric addresses control which sockets appear and how they are formatted. Additional flags like -p can annotate sockets with the owning process and PID, which simplifies tracing ports back to services.

Running ss without elevated permissions hides process details for sockets owned by other users, and some distributions restrict access to detailed socket metadata. Invoking sudo ss exposes full connection information but may reveal sensitive IP addresses, hostnames, and process paths, so access should be limited to trusted administrators. In virtualized or containerized environments, network namespaces, bridges, and firewall rules affect visibility, so interpreting ss output correctly requires awareness of the system’s network topology.

Steps to list open ports with ss on Linux:

Open a terminal with privileges suitable for inspecting system sockets.
```
$ whoami
user
```
Running with sudo privileges reveals process and user columns for sockets owned by other accounts.

List all listening TCP and UDP ports using numeric addresses and ports.

$ ss -tuln
Netid State   Recv-Q Send-Q Local Address:Port   Peer Address:Port
udp   UNCONN  0      0      0.0.0.0:68          0.0.0.0:*
udp   UNCONN  0      0      0.0.0.0:123         0.0.0.0:*
tcp   LISTEN  0      128    0.0.0.0:22          0.0.0.0:*
tcp   LISTEN  0      511    0.0.0.0:80          0.0.0.0:*
##### snipped #####

Options -t and -u restrict output to TCP and UDP, -l limits results to listening sockets, and -n disables DNS and service-name lookups for speed.

Display listening ports annotated with process name and PID.

$ sudo ss -tulnp
Netid State   Recv-Q Send-Q Local Address:Port   Peer Address:Port   Process
tcp   LISTEN  0      128    0.0.0.0:22          0.0.0.0:*         users:(("sshd",pid=1024,fd=3))
tcp   LISTEN  0      511    0.0.0.0:80          0.0.0.0:*         users:(("nginx",pid=1456,fd=6))
##### snipped #####

Command ss -p reveals executable details and PIDs, which may expose sensitive process information that should not be shared from production systems.

Inspect all TCP connections, including established and time-wait states, to see current traffic endpoints.

$ ss -tan
State      Recv-Q Send-Q Local Address:Port   Peer Address:Port
ESTAB      0      0      192.0.2.10:22       198.51.100.5:51234
ESTAB      0      0      192.0.2.10:443      203.0.113.15:49876
TIME-WAIT  0      0      192.0.2.10:443      203.0.113.20:50123
##### snipped #####

Omitting -l shows both listening and non-listening sockets, useful for observing active client and server connections.

Filter sockets by local source port to isolate a single service, such as SSH on port 22.
```
$ ss -tuln 'sport = :22'
Netid State   Recv-Q Send-Q Local Address:Port   Peer Address:Port
tcp   LISTEN  0      128    0.0.0.0:22          0.0.0.0:*
```
Filters support expressions like sport = :PORT or dport = :PORT and can be combined with other options to narrow results.
Search for open ports belonging to a specific daemon, such as nginx, using standard text filters.
```
$ sudo ss -tulnp | grep nginx
tcp   LISTEN  0      511    0.0.0.0:80          0.0.0.0:*   users:(("nginx",pid=1456,fd=6))
```
Combining ss with tools such as grep or awk produces focused views tailored to individual services.
Limit the output to IPv4 or IPv6 sockets when troubleshooting address-family specific issues.
```
$ ss -tuln4
$ ss -tuln6
```
Options -4 and -6 constrain results to IPv4 and IPv6 sockets respectively, clarifying whether a service listens on one or both families.
Capture the current list of open ports and owning processes into a text file for offline analysis or auditing.
```
$ sudo ss -tulnp > open-ports-$(date +%F).txt
```
Stored snapshots may contain IP addresses, hostnames, and process identifiers that should be treated as sensitive operational data.
Verify that a port is closed after stopping a service by rerunning a filtered query for that port and confirming no output appears.
```
$ ss -tuln 'sport = :80'
```
Absence of matching lines indicates no process is listening on the specified port within the inspected network namespace.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.