Checking connections on a particular service

So lets say you want to see how many established connections we have on a particular port/service. Most of the people would use netstat, however I prefer ss.

On a Debian based system ss can be installed with the iproute package.

user@server: ~ $ sudo dpkg -S `which ss`
iproute: /sbin/ss
user@server: ~ $

On a Red Hat based system it will be installed with iproute too.

[user@redhat ~]# sudo rpm -qf `which ss`
iproute-2.6.18-11.el5
[user@redhat ~]#

aptitude install iproute and yum install iproute will install the package on a Debian and Red Hat system respectively.

Now lets show some examples. Lets say we want to see how many established ssh connections there are.

[user@redhat ~]# sudo ss -t '( sport = :22 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 ::ffff:10.40.7.12:ssh ::ffff:10.16.241.194:56325
ESTAB 0 0 ::ffff:10.40.7.12:ssh ::ffff:10.16.241.194:53804
ESTAB 0 0 ::ffff:10.40.7.12:ssh ::ffff:10.16.241.194:60486
ESTAB 0 0 ::ffff:10.40.7.12:ssh ::ffff:10.14.17.48:37471
ESTAB 0 0 ::ffff:10.40.7.12:ssh ::ffff:10.16.241.194:57982
ESTAB 0 0 ::ffff:10.40.7.12:ssh ::ffff:10.16.241.194:57525
ESTAB 0 304 ::ffff:10.40.7.9:ssh ::ffff:10.14.17.22:46376
ESTAB 0 0 ::ffff:10.40.7.9:ssh ::ffff:10.16.241.28:42654
ESTAB 0 0 ::ffff:10.40.7.9:ssh ::ffff:10.16.241.12:36276
ESTAB 0 0 ::ffff:10.40.7.9:ssh ::ffff:10.16.241.8:57936
ESTAB 0 0 ::ffff:10.40.7.9:ssh ::ffff:10.16.241.28:42855
[user@redhat ~]#

-t displays all TCP sockets

You can also substitute the port number by the name of the service that runs in it by default.

user@debian:~$ sudo ss -t '( sport = :mysql )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.140.121:mysql 192.168.137.234:35512
user@debian:~$

To see all opened ports on the server use the -a option.

xavi@linode2:~$ sudo ss -t -a
State       Recv-Q Send-Q                   Local Address:Port       Peer Address:Port   
LISTEN      0      5                                    *:nrpe              *:*       
LISTEN      0      50                     192.168.140.121:mysql             *:*       
LISTEN      0      8                                    *:pop3              *:*       
LISTEN      0      8                                    *:imap2             *:*       
LISTEN      0      128                                 :::www              :::*       
LISTEN      0      128                                  *:ssh               *:*       
LISTEN      0      128                                 :::ssh              :::*       
LISTEN      0      100                                  *:smtp              *:*       
LISTEN      0      128                                 :::https            :::*       
TIME-WAIT   0      0               ::ffff:173.255.231.252:www          ::ffff:79.158.142.28:55032   
ESTAB       0      0                      192.168.140.121:mysql               192.168.137.234:35512  
ESTAB       0      48                     173.255.231.252:ssh                 79.158.142.28:48395   
TIME-WAIT   0      0               ::ffff:173.255.231.252:www          ::ffff:79.158.142.28:55033   
TIME-WAIT   0      0               ::ffff:173.255.231.252:www          ::ffff:173.255.231.252:37223 
xavi@linode2:~$

I believe ss command is simpler to use but less known than netstat. Enjoy.

Leave a Reply