$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Inspect Established Network Connections

You need to list established TCP connections without changing network state.

Command

ss -tan state established

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not treat it as a full security investigation; it is a point-in-time socket snapshot.

Expected output

A list of established TCP connections showing local and peer addresses and ports.

System impact

Read-only. Nothing changes. The command displays current established TCP sockets.

Recovery / rollback: no state is changed.

When to use it

Use when checking active client connections, suspicious network activity, or service traffic.

When not to use it

Do not treat it as a full security investigation; it is a point-in-time socket snapshot.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ ss -ltnp

State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      511    0.0.0.0:80        0.0.0.0:*     users:(("nginx",pid=1907,fd=6))
LISTEN 0      128    localhost:5432     0.0.0.0:*     users:(("postgres",pid=2011,fd=7))
LISTEN 0      64     0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))

$ ss -tan state established

State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0      0      192.0.2.10:443     198.51.100.20:51422
ESTAB 0      0      192.0.2.10:5432    192.0.2.10:41430
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. ss -ltnp
  2. ss -tan state established

next steps

Related commands

Cybersecurity Triage Read-only

Find Listening Ports with ss

Before blaming the firewall, check whether anything is actually listening.

ss -ltnp
Cybersecurity Triage State change

Find Allowed Ports with No Listener

An open firewall rule can outlive the service it was created for.

comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.