$ Linux One Liners
Back to lessons

Cybersecurity Triage

Inspect Established Network Connections

You need to list established TCP connections without changing network state.

Command

ss -tan state established

What changed

Nothing changes. The command displays current established TCP sockets.

Danger

safe

When to use it

Use when checking active client connections, suspicious network activity, or service traffic.

When not to use it

Do not treat it as a full security investigation; it is a point-in-time socket snapshot.

Undo or recovery

No undo needed because this command is read-only.

Expected output

A list of established TCP connections showing local and peer addresses and ports.

demo script

Disposable terminal steps

  1. ss -ltnp
  2. ss -tan state established
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ ss -ltnp
State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      511    0.0.0.0:80        0.0.0.0:*     users:(("nginx",pid=1907,fd=6))
LISTEN 0      128    127.0.0.1:5432     0.0.0.0:*     users:(("postgres",pid=2011,fd=7))
LISTEN 0      64     0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
::exit-code::0
$ ss -tan state established
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0      0      10.0.0.5:443     198.51.100.20:51422
ESTAB 0      0      10.0.0.5:5432    10.0.0.8:41430
::exit-code::0

YouTube Short

See active TCP conversations.

Filter ss to established sockets when you need to see who the server is actively talking to.

LinkedIn hook

Unexpected connections are easier to reason about when you can see them directly.

Question: Do you inspect established sockets during incident timelines?

experiments

A/B tests to run

Metric: watch_time

A: Active conversations.

B: Point-in-time socket snapshot.