On Linux, everything is a file — regular files, directories, sockets, pipes, and devices. When something goes wrong, lsof tells you which processes hold which files. When network issues strike, ss gives you socket state with far less overhead than netstat.

lsof — List Open Files

Find which process is using a file

lsof /var/log/syslog

Output shows every process with an open handle on that file, including its PID and file descriptor.

Find what a specific process has open

lsof -p 1234

Invaluable when a process is behaving oddly — check if it has leaked file descriptors, holds stale locks, or unexpectedly opened too many connections.

Find processes using a given port

lsof -i :8080

Show only network connections

lsof -i

Combine with -P to avoid DNS lookups and -n to avoid hostname resolution:

lsof -i -P -n

Find deleted files still consuming disk

When you delete a file but a process keeps it open, the disk space is not released:

lsof -nP | grep "(deleted)"

Fix by restarting the process or clearing the file descriptor:

: > /proc/$PID/fd/$FD

Useful combination flags

# Listen on all TCP/UDP ports, no name resolution
lsof -iTCP -sTCP:LISTEN -P -n
 
# Unix domain sockets
lsof -U
 
# Show file descriptor size and offset
lsof -o -p $PID

ss — Socket Statistics

ss is the modern replacement for netstat. It reads socket information directly from the kernel and is significantly faster, especially on systems with thousands of connections.

Show all sockets

ss -a

Show only TCP sockets

ss -t

Show only listening sockets

ss -tlnp

Breakdown: -t TCP, -l listening, -n numeric, -p show process.

Connection state filtering

# All established connections
ss -t state established
 
# Connections in TIME_WAIT (potential port exhaustion)
ss -t state time-wait
 
# Or with numeric values
ss -t state fin-wait-1
ss -t state close-wait

Socket statistics by port

ss -tlnp sport = :80
ss -tlnp dport = :443

Process-level socket info

ss -tlp

The -p flag shows the PID and process name — essential for identifying which service owns each socket.

Real-World Scenarios

”Cannot unmount filesystem”

umount /mnt/data
# device is busy
lsof /mnt/data

Find the offending process and either kill it or change its working directory.

Port already in use

ss -tlnp sport = :3000

Shows the PID holding port 3000 so you can restart or kill it.

Connection limit reached

ss -s

Shows total socket counts by state. If time-wait is high, you may need to tune net.ipv4.tcp_tw_reuse.

Which process is saturating the network

ss -t -o state established -p

Watch established connections grow in real time. Combine with watch:

watch -n 1 'ss -t state established | wc -l'

Performance Comparison

On a server with 100k connections:

• netstat -a — 3-5 seconds, high CPU
• ss -a — under 0.1 seconds, minimal CPU

Always use ss over netstat. On modern distros netstat is often not even installed by default.