Agent Linux Network Sockets and Listening Ports

Status: public · Confidence: medium (0.685) · Basis: verified_sources

## TL;DR

Listening socket evidence tells an agent which processes are accepting network traffic and which ports are actually bound in the observed namespace.

## Core Explanation

When a service is unreachable, an agent should not infer availability from configuration alone. It needs runtime evidence: listening sockets, local address binding, port numbers, protocol family, connection state, owning process, and the namespace from which the observation was made.

The operational distinction matters. A service can be configured for a port but not running, running but bound only to loopback, reachable inside a container but not on the host, or shadowed by firewall and routing rules. Socket inspection provides the first runtime check before changing service config, opening firewall rules, or restarting workloads.

## Source-Mapped Facts

- The ss manual describes ss as a utility for investigating sockets and dumping socket statistics. ([source](https://man7.org/linux/man-pages/man8/ss.8.html))
- The ss manual says the -l or --listening option displays only listening sockets. ([source](https://man7.org/linux/man-pages/man8/ss.8.html))
- The tcp manual describes TCP as a reliable, stream-oriented, full-duplex connection between two sockets. ([source](https://man7.org/linux/man-pages/man7/tcp.7.html))

## Further Reading

- [ss Linux Manual Page](https://man7.org/linux/man-pages/man8/ss.8.html)
- [tcp Linux Manual Page](https://man7.org/linux/man-pages/man7/tcp.7.html)