List and inspect active TCP, UDP and UNIX sockets from the command line to troubleshoot and secure a Linux host. 16.11.2025 | reading time: 2 min Curious which remote hosts talk to your machine right now? On Linux the `ss` tool lets a technician list every active socket, see which process owns a connection, and spot unexpected network activity from the command line. Live terminal example Run the command `sudo ss -tunap` to see all TCP and UDP sockets with process info; for example: ```bash $ sudo ss -tunap State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ESTAB 0 0 192.168.1.10:22 192.168.1.20:54321 users:(sshd, pid=1234, fd=3) LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(nginx, pid=2345, fd=6) UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(dhclient, pid=567, fd=8) ``` Practical filters and flags Narrow results with filters and small flags: add `-n` to avoid name resolution, use `-p` to show process owners, `state established` to see active sessions, `ss -s` for a summary, and `ss -o` to reveal timer information; combine options to tell a precise story about who talks to whom. When a deeper probe is needed If a connection looks suspicious, capture packets with `tcpdump`, inspect open files with `lsof -i`, or run a local port scan with `nmap`; check kernel connection tracking with conntrack on NAT gateways to see translated flows and lifetimes. Wrap-up and next steps Listing sockets is the first step in network forensics and hardening: learn to combine `ss` with logs and packet captures to form fast diagnoses; to master Linux networking and prepare for certifications like CompTIA Linux+ or LPIC-1 consider intensive exam preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. network utilities troubleshooting security processes
