Drill: Examine TCP Connection States with ss

Goal

Use ss to inspect TCP connection states, identify CLOSE_WAIT and TIME_WAIT accumulation, and diagnose connection issues.

Setup

• Linux system with iproute2 installed (provides ss)
• Root access for viewing all sockets

Commands

Show all TCP connections with state:

ss -tan

Show listening sockets with process info:

ss -tlnp

Filter by specific state:

ss -tan state time-wait
ss -tan state close-wait
ss -tan state established

Count connections by state:

ss -tan | awk 'NR>1 {print $1}' | sort | uniq -c | sort -rn

Show connections to a specific port:

ss -tan 'dport = :443'

Show connections from a specific source:

ss -tan 'src 10.0.0.0/8'

Show socket memory and timer info:

ss -tanm
ss -tano  # show timer information

What to Look For

• Large numbers of TIME_WAIT are often normal but can exhaust port space
• CLOSE_WAIT accumulation indicates the local application is not closing connections properly
• SYN_RECV buildup may indicate SYN flood or slow application accept
• ESTABLISHED count should match expected concurrency for the service

Common Mistakes

• Using netstat instead of ss (netstat is slower and deprecated on modern systems)
• Forgetting -p flag and not seeing which process owns the socket
• Not using -n and waiting for DNS resolution on every connection
• Confusing source and destination in filter expressions

Cleanup

No cleanup needed. ss is a read-only inspection tool.