This is a small collection of useful ss (written by Alexey Kuznetsov of the Russian Nuclear Research Institute) syntax examples that go beyond the basics covered by other sources. Here’s one I use often: it shows established connections to destinations beyond the localhost and its local subnet:

ss --numeric --resolve --options state established \
not dst $(ip -o -f inet addr show | awk '/scope global/ {print $4}') \
and not dst 127.0.0.1 | sed -e "s/[[:space:]]\+/ /g" -e 's/::ffff://g' | \
awk '{print $3,$4}' | grep -v ^Local | column -t

Sample output:

ncc1701.jedi.local:80    rigby04.embed.ly:41239
ncc1701.jedi.local:80    crawl-66-249-64-147.googlebot.com:54942
ncc1701.jedi.local:80    rigby03.embed.ly:57198
ncc1701.jedi.local:80    rigby05.embed.ly:36197
ncc1701.jedi.local:80    rigby02.embed.ly:36481

A similar example showing process name, PID, and file descriptor. This can be useful if you need to strace the PID or just kill it.

ss --processes --numeric --resolve --options state established \
not dst $(ip -o -f inet addr show | awk '/scope global/ {print $4}') \
and not dst 127.0.0.1 | sed -re "s/[[:space:]]\+/ /g" -e 's/::ffff://g' \
-e 's/timer:\([0-9a-z,]{1,}\)//g' | awk '{print $3,$4,$5}' | grep -v ^Local | \
column -t

Another variation of the above showing output of ps -ef for each PID:

ss --processes --numeric --resolve --options state established \
not dst $(ip -o -f inet addr show | awk '/scope global/ {print $4}') \
and not dst 127.0.0.1 | sed -re "s/[[:space:]]\+/ /g" -e 's/::ffff://g' \
-e 's/timer:\([0-9a-z,]{1,}\)//g' | awk '{print $3,$4,$5}' | \
grep -v ^Local | column -t | egrep -o ",[0-9]{1,}," | sed -e 's/,//g' | \
sort -u | while read pid ; do ps -ef | grep ${pid} | grep -v grep ; done

You can use the PID information in conjunction with nethogs and iftop to see who’s eating up your bandwidth.