patternbashTip
ss vs netstat: Modern Network Connection Inspection
Viewed 0 times
ssnetstatsocketslistentcpudpestablishedTIME_WAITnetwork connections
linux
Problem
netstat is deprecated and slow on systems with many connections. ss provides the same information faster with richer filtering.
Solution
Use
ss with appropriate filters instead of netstat.# All listening TCP and UDP ports
ss -tulnp
# Breakdown of flags:
# -t = TCP, -u = UDP, -l = listening, -n = numeric, -p = process
# All established TCP connections
ss -tn state established
# Connections to a specific port
ss -tn dst :443
# Connections from a specific source
ss -tn src 192.168.1.0/24
# Socket statistics summary
ss -s
# Show timer info (retransmit, keepalive)
ss -to
# Unix domain sockets
ss -xl
# netstat equivalents (for reference)
netstat -tulnp # → ss -tulnp
netstat -an # → ss -an
netstat -rn # → ip route showWhy
netstat reads /proc/net which becomes slow with tens of thousands of connections. ss uses the NETLINK socket API to query kernel socket tables directly, which is orders of magnitude faster at scale.
Gotchas
- ss -p may not show process names without root on some distributions.
- ss does not show PID for kernel threads (shown as
-). - TIME_WAIT sockets consume port numbers but not significant memory — a large count indicates high connection turnover.
- The netstat package may not be installed on modern minimal systems — use ss from the iproute2 package.
Revisions (0)
No revisions yet.