ss -ltnp: List Listening Ports and PIDs
ss -ltnp lists every listening TCP socket with its local address, port, and the PID/program that owns it.
ss is the modern replacement for netstat and ships on virtually every runner. -ltnp is the one combination to memorize for "what is listening and who owns it".
What it does
ss queries kernel socket state directly. The flags compose: -l listening, -t TCP, -u UDP, -n numeric (skip DNS/service lookup), -p show the process. So ss -ltnp is "listening TCP, numeric, with process". The Local Address:Port column shows the bind address; 0.0.0.0:8080 is all interfaces, 127.0.0.1:8080 is loopback only.
Common usage
ss -ltnp # listening TCP + owning process
ss -ltunp # add UDP as well
ss -ltnp 'sport = :8080' # filter to one port
ss -tnp state established # active connections with PIDsOptions
| Flag | What it does |
|---|---|
| -l | Listening sockets only |
| -t / -u | TCP / UDP sockets |
| -n | Numeric, do not resolve names (faster) |
| -p | Show the owning process (needs root for others) |
| -a | All sockets, listening and not |
| state <s> | Filter by state, e.g. established, listening |
In CI
Before starting a test server, ss -ltnp | grep :8080 confirms the port is free; a hit means a prior step left something bound. If your service is up but unreachable, check it is on 0.0.0.0 not 127.0.0.1: a service container bound to loopback is invisible to other containers on the runner.
Common errors in CI
Blank process columns mean ss ran without root; the socket shows but users:(("...",pid=...)) is hidden, so run with sudo. "Cannot open netlink socket: Operation not permitted" appears in restricted containers. Note the existing reference pages ss-command and ss-command-reference cover the broader command; this page is the listening-port recipe.