Network socket analysis is essential for troubleshooting connection issues, detecting resource leaks, and understanding application network behavior on Linux servers. The ss command (socket statistics) has replaced the older netstat as the standard tool for inspecting socket information. This guide covers practical ss usage for real-world network diagnostics.
Why ss Replaced netstat
The ss command reads directly from kernel netlink sockets, making it significantly faster than netstat (which parses /proc/net files). On servers with thousands of connections, ss returns results in milliseconds where netstat might take seconds. It also provides more detailed socket information including TCP internal state and memory usage.
Essential ss Commands
# All TCP connections with process info
ss -tnp
# Listening sockets (what ports are open)
ss -tlnp
# UDP sockets
ss -ulnp
# Socket summary statistics
ss -s
# Connections in TIME-WAIT state
ss -tn state time-wait
# Connections to a specific port
ss -tn dport = :443Understanding TCP Connection States
TCP connections pass through multiple states. The most important ones to monitor are:
- ESTABLISHED β Active connections currently exchanging data
- TIME-WAIT β Closed connections waiting for delayed packets (normal, but high counts indicate rapid connection churn)
- CLOSE-WAIT β Remote side closed, local application has not yet closed (often indicates a connection leak bug)
- SYN-SENT/SYN-RECV β Connection handshake in progress (high counts may indicate SYN flood attack)
Detecting Connection Leaks
High CLOSE-WAIT counts are a strong indicator of connection leaks in your application:
# Count CLOSE-WAIT per process
ss -tnp state close-wait | awk \x27{print $NF}\x27 | sort | uniq -c | sort -rn
# Monitor TIME-WAIT buildup
watch -n 2 "ss -s"If you see CLOSE-WAIT connections growing over time for a specific process, that process has a bug β it is not properly closing connections after the remote side disconnects.
Automated Socket Analysis
For comprehensive socket monitoring with issue detection, use our dargslan-socket-stats tool:
pip install dargslan-socket-stats
dargslan-socket report # Full socket analysis
dargslan-socket states # State breakdown with percentages
dargslan-socket listen # Listening ports inventory
dargslan-socket audit # Detect issues automaticallyPerformance Tuning Based on Socket Data
Socket statistics inform kernel tuning decisions:
# If TIME-WAIT is excessive, enable reuse
sysctl -w net.ipv4.tcp_tw_reuse=1
# If SYN backlog is full
sysctl -w net.core.somaxconn=65535
sysctl -w net.ipv4.tcp_max_syn_backlog=65535
# If running out of local ports
sysctl -w net.ipv4.ip_local_port_range="1024 65535"Download our free Socket Statistics & Diagnostics Cheat Sheet for a quick reference. For deeper Linux networking knowledge, browse our Networking & DevOps eBooks.
