The ss (socket statistics) command provides a lot of information on network activity by displaying details on socket activity. One way to get started, although this may be a bit overwhelming, is to use the ss -h (help) command to get a listing of the command’s numerous options. Another is to try some of the more useful commands and get an idea what each of them can tell you.
One very useful command is the ss -s command. This command will show you some overall stats by transport type. In this output, we see stats for RAW, UDP, TCP, INET and FRAG sockets.
$ ss -s Total: 524 TCP: 8 (estab 1, closed 0, orphaned 0, timewait 0) Transport Total IP IPv6 RAW 2 1 1 UDP 7 5 2 TCP 8 6 2 INET 17 12 5 FRAG 0 0 0
- Raw sockets allow direct sending and receiving of IP packets without protocol-specific transport layer formatting and are used for security appliications such as nmap
- TCP provides transmission control protocol is the primary connection protocol
- UDP (user datagram protocol) is similar to TCP but without the error checking
- INET includes both of the above (INET4 and INET6 can be viewed separately with some ss commands)
- FRAG — fragmented
Clearly the by-protocol lines above aren’t displaying the totality of the socket activity. The figure in the Total line at the top of the output indicates that there is a lot more going on than the by-type lines suggest. Still, these breakdowns can be very useful.