Viewing Active Network Connections in Linux

By Bo MorganLinux Basics

 

When something on a Linux system is slow, unresponsive, or not behaving the way you expect, one of the first questions to ask is simple:
what is this system connected to right now?

Linux gives you a clean, reliable way to see active network connections, open ports, and the programs using them. This guide walks through that process step by step, using a single modern tool and practical examples pulled directly from the original script .

Nothing here changes your system. You are only observing what is already happening.

What We’re Trying to See

Before typing any commands, it helps to be clear about the goal.

We want to be able to answer three questions:

  • What network connections exist right now

  • Which ports are open and listening

  • What programs are using those ports

This is core Linux troubleshooting. You are confirming facts instead of guessing.

The ss Command (The Only Tool You Need)

The modern Linux tool for viewing network connections is called ss.

The name comes from “socket statistics.” A socket is simply how programs communicate over the network. You do not need to memorize that term. What matters is this:

ss shows live network connections on your system.

Viewing Active Connections

Start with the simplest possible command.

ss

Example output:

State   Recv-Q  Send-Q   Local Address:Port    Peer Address:Port 
ESTAB   0       0        192.168.1.50:ssh      192.168.1.20:53422 
ESTAB   0       0        192.168.1.50:443      192.168.1.30:51588

Read this slowly:

  • State shows what the connection is doing

    • ESTAB means established, or active

  • Local Address:Port is your system and the port it is using

  • Peer Address:Port is the remote system on the other end

This already tells you which connections are currently active.

Practical use:
This is how you confirm that an SSH session, web request, or other network connection is actually happening.

Showing Listening Ports Only

In day-to-day IT work, you often care more about listening services than active connections.

A listening port means a service is running and waiting for connections.

ss -l

Example output:

State   Recv-Q  Send-Q   Local Address:Port 
LISTEN  0       128     0.0.0.0:ssh 
LISTEN  0       128     0.0.0.0:http

Here’s what this means:

  • -l means listening

  • These services are running and ready to accept connections

  • If a service does not appear here, it is not listening

Practical use:
This is how you verify that services like SSH or a web server are actually running.

Limiting Output to TCP Connections

Most beginner-level troubleshooting focuses on TCP connections.

TCP is used by SSH, web servers, databases, and most applications.

ss -t

The -t option limits the output to TCP only. This removes noise and makes the results easier to read.

Viewing Listening TCP Services

Now combine what you’ve learned.

ss -lt

Example output:

State   Recv-Q  Send-Q   Local Address:Port 
LISTEN  0       128     0.0.0.0:ssh 
LISTEN  0       128     127.0.0.1:postgresql

This shows TCP services that are waiting for connections.

This single command is one of the most commonly used checks in real Linux environments.

Seeing Which Program Owns a Port

Ports are useful, but knowing which program owns them is even more important.

To see that, add one more option.

sudo ss -ltp

Example output:

LISTEN  0  128  0.0.0.0:ssh  users:(("sshd",pid=742,fd=3))

Explanation:

  • -p shows the process using the port

  • You can see the program name and process ID

  • sudo is required because regular users cannot see all processes

Practical use:
This removes guesswork. You can confirm exactly which service is bound to a port.

Filtering for a Specific Port

Often you only care about one service.

For example, to check SSH (port 22):

ss -ltp | grep 22

This filters the output to only show SSH. You can replace 22 with any port number you need.

Common Beginner Mistakes

Forgetting sudo
If you do not use sudo, program names may be missing. That is expected behavior, not an error.

Expecting netstat
Older guides use netstat. On modern Linux systems, ss replaces it.

Confusing LISTEN and ESTAB
LISTEN means waiting for connections.
ESTAB means a connection is currently active.
They describe different states.

A Real IT Troubleshooting Example

Imagine a web application is “not responding.”

The first question is simple: is it even listening?

sudo ss -ltp | grep 80

If nothing appears, the web server is not running or not bound to port 80.

That immediately narrows the problem.

This is how real troubleshooting works. You confirm facts instead of guessing.

A Small Optional Next Step

Once you’re comfortable, you can watch connections change in real time.

watch ss -t

This refreshes every two seconds and shows connections appearing and disappearing.

This step is optional. Use it only after the basics feel natural.

Conclusion

Viewing active network connections is a foundational Linux skill. You do not need to memorize every option. What matters is understanding what you are looking at and why it matters.

Work through these commands a few times. With repetition, the output will start to make sense on its own.