~/ linuxnetwork.net

The Evolution of Linux Networking: Why `netstat` is Largely Replaced by `ss`

In the realm of Linux system administration and networking, the traditional utility netstat (network statistics) has been largely replaced by the more modern, efficient, and feature-rich ss (socket statistics) command. This shift reflects the need for better performance, deeper insights into network sockets, and alignment with modern Linux networking paradigms. In this blog, we explore why ss has become the de facto standard, how it compares to netstat, and how to leverage it for networking tasks.

Table of Contents#

  1. What is the ss Command?
  2. Why Was netstat Largely Replaced by ss?
  3. Comparing ss and netstat Commands
  4. Common Use Cases with ss
  5. Best Practices for Using ss
  6. Migrating from netstat to ss
  7. Troubleshooting Networking Issues with ss
  8. Frequently Asked Questions (FAQ)
  9. Conclusion
  10. References

What is the ss Command?#

The ss (socket statistics) command is a powerful utility for investigating network sockets in Linux. It is part of the iproute2 suite (replacing legacy tools like netstat) and interacts directly with the kernel’s netlink interface for efficiency. ss provides detailed insights into:

  • TCP, UDP, and Unix-domain sockets.
  • Socket states (e.g., ESTABLISHED, LISTEN, TIME-WAIT).
  • Process associations (which process owns a socket).
  • Network metrics (e.g., TCP congestion window, retransmissions).

Unlike netstat, which parses plain-text files in /proc/net/, ss leverages the kernel’s netlink API, making it faster—especially with thousands of active connections.

Why Was netstat Largely Replaced by ss?#

Performance and Efficiency#

  • netstat’s Limitation: netstat reads plain-text files (e.g., /proc/net/tcp, /proc/net/udp), which is slow and resource-intensive, especially with high socket counts (e.g., in web servers or containerized environments).
  • ss’s Advantage: ss uses the kernel’s netlink interface, a binary, kernel-space communication protocol. This reduces I/O overhead and significantly speeds up socket enumeration in large environments—particularly noticeable with thousands of concurrent connections.

Feature Set and Flexibility#

  • Modern Protocols: ss supports newer networking features (e.g., TCP Fast Open and IPv6 flow labels), while netstat lacks these. Since QUIC runs over UDP, ss can display QUIC traffic as UDP sockets, but it does not have dedicated QUIC protocol support.
  • Advanced Filtering: ss uses a powerful filtering syntax (inspired by TCP Wrapper rules) to target specific sockets (e.g., by port, state, or process). For example: 
    ss -t '( sport = :80 or sport = :443 )'  # Filter by source port
  • Socket Metrics: ss exposes TCP metrics (e.g., retransmissions, RTT) via the -i flag, aiding in performance troubleshooting.

Integration with Modern Linux Networking#

The iproute2 suite (including ip, ss, bridge, etc.) is the modern standard for Linux networking. Distributions like RHEL 8+, Ubuntu 20.04+, Debian 10+, and their successors prioritize iproute2 tools, while netstat is deprecated (often provided as a compatibility alias or optional package such as net-tools).

Comparing ss and netstat Commands#

Command Syntax and Output#

Tasknetstat Commandss EquivalentNotes
List all listening socketsnetstat -tulnss -tulnIdentical syntax, faster output
Show process for socketsnetstat -ap (needs root)ss -ap (needs root)ss shows process names/PIDs
Socket statisticsnetstat -sss -sss includes more detailed metrics
Routing table (legacy)netstat -rnip route show (preferred)ip route is more feature-rich

Output Differences#

  • Compactness: ss output is more concise, with columns like Recv-Q/Send-Q, Local Address:Port, Peer Address:Port, and State.
  • Process Info: ss shows process names (e.g., nginx instead of just a PID) when run as root, improving readability.

Common Use Cases with ss#

Listing All Active Connections#

To view all active (including listening) sockets:

ss -a  # Includes LISTEN, ESTABLISHED, TIME-WAIT, etc.

Filtering by Port or Protocol#

  • By Port: Check if port 80 is in use: 
    ss -tuln sport = :80  # TCP/UDP, listening, numeric ports
  • By Protocol: List only UDP sockets: 
    ss -u  # UDP sockets (add -n for numeric, -l for listening)

Displaying Listening Sockets#

For services waiting for connections (e.g., web servers, SSH):

ss -tuln  # TCP/UDP, listening, numeric ports

Output example:

State      Recv-Q Send-Q Local Address:Port  Peer Address:Port
LISTEN     0      128          *:22               *:*
LISTEN     0      100      127.0.0.1:25               *:*
LISTEN     0      128         :::80              :::*

Examining TCP States#

  • Established Connections: 
    ss -t state ESTABLISHED
  • Troubleshoot SYN Floods: 
    ss -t state SYN-RECV  # Identify pending TCP handshakes

Working with UDP Sockets#

UDP is connectionless, so states like ESTABLISHED do not apply. Use:

ss -u -n  # UDP sockets, numeric addresses

Best Practices for Using ss#

Combining Filters for Precision#

Use boolean logic (AND/OR) to target specific sockets. For example, find all HTTPS (443) connections to a specific IP:

ss -t 'dport = :443 and dst 192.168.1.100'

Using JSON Output for Automation#

For scripted workflows, use JSON output with the -j flag:

ss -t -j  # Output TCP sockets as JSON

Example output (truncated):

[
  {"state":"ESTABLISHED","recv_q":0,"send_q":0,"local_addr":"192.168.1.5:22","peer_addr":"192.168.1.10:54321",...},
  ...
]

Monitoring with watch#

Track socket changes in real time (e.g., during a deployment):

watch -n 1 ss -tuln  # Refresh every 1 second

Limiting Output for Clarity#

For large environments, limit output with head or grep:

ss -t -n | head  # Show first 10 TCP sockets

Migrating from netstat to ss#

Equivalent Commands#

Tasknetstat Commandss Equivalent
List all socketsnetstat -ass -a
List listening socketsnetstat -tulnss -tuln
Show process for socketsnetstat -apss -ap (requires root)
Socket statisticsnetstat -sss -s
Routing table (legacy)netstat -rnip route show (recommended)

Aliasing for Smooth Transition#

To ease the transition, add aliases to your ~/.bashrc or ~/.zshrc:

alias netstat='ss'  # Simple alias (note: some flags differ)
alias netstat-listen='ss -tuln'  # Specific use case

Test aliases first in a non-production environment to avoid confusion.

Troubleshooting Networking Issues with ss#

Detecting Port Conflicts#

To check if a port is already in use (e.g., port 8080):

ss -tuln sport = :8080  # Check TCP/UDP
ss -uln sport = :8080   # Check UDP only

If output is non-empty, the port is occupied (e.g., by a process like java or nginx).

Identifying Unresponsive Connections#

  • TIME-WAIT Floods: Excessive TIME-WAIT sockets may indicate a misconfigured TCP stack: 
    ss -t state TIME-WAIT | wc -l  # Count TIME-WAIT sockets
  • SYN-RECV Backlog: A growing SYN-RECV count may signal a SYN flood or misbehaving client: 
    ss -t state SYN-RECV  # List pending TCP handshakes

Analyzing Socket Metrics#

To debug TCP performance issues (e.g., retransmissions), use the -i flag:

ss -t -i  # Show TCP metrics for established connections

Output example (truncated):

State      Recv-Q Send-Q Local Address:Port  Peer Address:Port  ...  rto:204800 ato:1000 mss:1460
ESTAB      0      0      192.168.1.5:22      192.168.1.10:54321 ...  rto:204800 ato:1000 mss:1460

Metrics like rto (retransmit timeout) and mss (maximum segment size) help diagnose latency or packet loss.

Frequently Asked Questions (FAQ)#

Is netstat still available on modern Linux distributions?#

netstat is deprecated but often still available through the net-tools package. Most modern distributions (RHEL 8+, Ubuntu 20.04+, Debian 10+) ship with ss by default and require a separate installation of net-tools to use netstat.

Can ss replace all netstat functionality?#

Almost. ss covers the vast majority of netstat use cases—listing connections, displaying listening sockets, showing socket statistics, and process identification. The one notable difference is the routing table (netstat -rn), which is better served by ip route show from the iproute2 suite.

Does ss require root privileges?#

Basic socket listing works without root. However, viewing process information (the -p flag) requires root or appropriate capabilities, similar to netstat -ap.

Is ss faster than netstat?#

Yes. ss communicates with the kernel via the netlink interface, a binary protocol that avoids the overhead of parsing plain-text /proc/net/ files. The performance difference is most noticeable on systems with thousands of active sockets, such as web servers and container hosts.

Can I use ss in Docker containers?#

Yes, ss works inside containers and is useful for debugging network issues in containerized environments. If the container image does not include iproute2, you can install it or use the host's nsenter to inspect the container's network namespace.

Conclusion#

The ss command has largely replaced netstat due to its superior performance, modern feature set, and integration with Linux’s networking ecosystem. By mastering ss, system administrators and DevOps engineers gain faster, more precise control over network sockets—critical for troubleshooting, security, and performance optimization. Embrace ss to future-proof your networking toolkit!

References#

  1. iproute2 Official Documentation: iproute2 GitHub
  2. Linux Man Pages: ss(8) manual page (for detailed flag descriptions)
  3. Red Hat: How to use the ss command
  4. Red Hat: Configuring and managing networking (RHEL 8)
  5. Red Hat: 6 deprecated Linux commands and the tools you should be using instead
  6. Linuxize: ss Command in Linux: Display Socket Statistics
2026-04