Introduction

Sometimes you want to see which programs are talking over the network on your computer. netstat and ss are tools that show you all the current network connections and listening ports. They help you understand what is communicating and where.

When you want to check if a web server is running and listening on port 80.

When you suspect a program is using the network and want to find its connection details.

When you want to see all active network connections on your machine.

When you need to find the process ID (PID) of a program using a specific port.

When you want to troubleshoot network issues by viewing socket states.

Commands

This command lists all TCP and UDP ports that are currently listening, showing numeric addresses and port numbers for clarity.

Terminal

netstat -tuln

Expected OutputExpected

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN udp 0 0 0.0.0.0:123 0.0.0.0:* udp6 0 0 :::123 :::*

→

-t - Show TCP connections

→

-u - Show UDP connections

→

-l - Show only listening sockets

→

-n - Show numeric addresses and ports

This command also lists all listening TCP and UDP sockets with numeric addresses, but ss is faster and more modern than netstat.

Terminal

ss -tuln

Expected OutputExpected

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 [::]:80 [::]:* udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:* udp UNCONN 0 0 [::]:123 [::]:*

→

-t - Show TCP sockets

→

-u - Show UDP sockets

→

-l - Show listening sockets

→

-n - Show numeric addresses and ports

This command shows all active TCP and UDP connections with numeric addresses and the process ID and name that owns each connection.

Terminal

netstat -tunp

Expected OutputExpected

Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.10:22 192.168.1.5:53422 ESTABLISHED 1234/sshd udp 0 0 0.0.0.0:123 0.0.0.0:* 567/ntpd

→

-t - Show TCP connections

→

-u - Show UDP connections

→

-n - Show numeric addresses and ports

→

-p - Show process ID and program name

This command lists all active TCP and UDP connections with numeric addresses and shows the process ID and name for each connection, using the modern ss tool.

Terminal

ss -tunp

Expected OutputExpected

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp ESTAB 0 0 192.168.1.10:22 192.168.1.5:53422 users:("sshd",pid=1234,fd=3) udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:* users:("ntpd",pid=567,fd=4)

→

-t - Show TCP sockets

→

-u - Show UDP sockets

→

-n - Show numeric addresses and ports

→

-p - Show process using the socket

Key Concept

If you remember nothing else from this pattern, remember: ss is a faster, modern replacement for netstat that shows detailed network connection info including processes.

Common Mistakes

Running netstat without sudo when trying to see process IDs

Without sudo, netstat cannot show the process ID and program name, so that info is missing.

Run netstat with sudo (e.g., sudo netstat -tunp) to see process details.

Using netstat without the -n flag

Without -n, netstat tries to resolve hostnames and service names, which slows down output and can confuse beginners.

Always use -n to show numeric IP addresses and ports for clarity and speed.

Expecting ss output to be identical to netstat

ss output format is different and more detailed; expecting exact same columns can cause confusion.

Learn ss output format separately; focus on key info like state, local address, and process.

Summary

Use netstat or ss to list current network connections and listening ports.

Add flags like -t, -u, -l, -n, and -p to filter and show details like protocols, listening state, numeric addresses, and processes.

ss is a modern, faster tool that provides similar info to netstat with better performance.