kuda.ai | Today I Learned

Created on October 1, 2025

ss and lsof: Find out which process is listening on a port.

In short:

Use ss if you want a quick look at sockets, ports, and connections.
Use lsof if you want to trace which files (including sockets) a process has open.

ss – “socket statistics”

From man ss:

ss - another utility to investigate sockets

Many people use netstat. But apparently, netstat is discouraged.

From man netstat:

netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

NOTES
    This program is mostly obsolete.
    Replacement for netstat is ss.
    Replacement for netstat -r is ip route.
    Replacement for netstat -i is ip -s link.
    Replacement for netstat -g is ip maddr.

A common set of options is tulpn:

ss -tulpn

ss \
    --tcp \
    --udp \
    --listening \
    --processes \
    --numeric

    -t, --tcp
        Display TCP sockets.

    -u, --udp
        Display UDP sockets.

    -l, --listening
        Display only listening sockets (these are  omit‐
        ted by default).

    -p, --processes
        Show process using socket.

    -n, --numeric
        Do not try to resolve service names. Show  exact
        bandwidth values, instead of human-readable.

After the command, you can add an EXPRESSION:

ss [options] [expression]

EXPRESSION
       EXPRESSION allows filtering based on specific criteria.
       EXPRESSION consists of a series of predicates  combined
       by  boolean  operators.  The  possible operators in in‐
       creasing order of precedence are or (or | or  ||),  and
       (or & or &&), and not (or !). If no operator is between
       consecutive predicates, an implicit and operator is as‐
       sumed. Subexpressions can be grouped with "(" and ")".

# Who listens on 8080?
ss -tlpn 'sport == :8080'

# Who listens on ports between 8000 and 8999?
ss -tlpn 'sport >= :8000 && sport < :9000'

lsof – list open files

In Linux, most things are files. Sockets are files. Ports are sockets. Therefore, lsof shows ports.

# Show which process is listening on port 8000:
lsof -i :8000

# Show all file descriptors that PID 1234 has open
lsof -p 1234

       -i [i]   selects the listing of files any of whose  In‐
                ternet  address  matches the address specified
                in i.  If no address is specified, this option
                selects the listing of all Internet  and  x.25
                (HP-UX) network files.