BestHub
Sign in
Operations 9 min read

Mastering the ss Command: A Faster Alternative to netstat for Linux Socket Monitoring

This guide explains how the Linux ss utility provides comprehensive socket statistics—including TCP, UDP, and Unix sockets—offers powerful filtering by state, address, and port, and demonstrates why it outperforms netstat in speed and resource usage through concrete command examples.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Mastering the ss Command: A Faster Alternative to netstat for Linux Socket Monitoring

The ss command displays socket status on Linux, covering PACKET, TCP, UDP, DCCP, RAW, and Unix domain sockets, and provides more detailed TCP and state information than traditional tools.

Why Use ss Instead of netstat

Most popular Linux distributions include ss, and many monitoring tools rely on it. It reads statistics directly from /proc/net, avoiding the per‑PID traversal that netstat performs, resulting in significantly lower CPU and time consumption.

Performance Comparison

# time netstat -ant | grep EST | wc -l
3100
real 0m12.960s
user 0m0.334s
sys 0m12.561s
# time ss -o state established | wc -l
3204
real 0m0.030s
user 0m0.005s
sys 0m0.026s

The test shows ss completes the same task in a fraction of the time.

Common ss Commands

ss -l                     # list all listening ports
ss -pl                    # show process owning each socket
ss -t -a                  # list all TCP sockets
ss -u -a                  # list all UDP sockets
ss -o state established '( dport = :smtp or sport = :smtp )'   # SMTP connections
ss -o state established '( dport = :http or sport = :http )'   # HTTP connections
ss -x src /tmp/.X11-unix/*                               # processes connected to X server
ss -s                     # summary of socket usage

Filtering by State, Address, and Port

Examples of state filtering:

# ss -s
Total: 3519 (kernel 3691)
TCP: 26557 (estab 3163, closed 23182, orphaned 194, synrecv 0, timewait 23182/0), ports 1452

List listening ports:

# ss -lRecv-Q Send-Q Local Address:Port Peer Address:Port
0 10 :::5989 *:*
0 5 *:rsync *:*
... (additional lines omitted for brevity)

Show processes and ports: # ss -pl List all TCP sockets: # ss -t -a List all UDP sockets: # ss -u -a Show HTTP connections:

# ss -o state established '( dport = :http or sport = :http )'

Filter by source IP:

ss src 120.33.31.1               # connections from this IP
ss src 120.33.31.1:http          # connections from this IP on port 80
ss src 120.33.31.1:8

Port Filtering Operators

Operator syntax:

<= or le : less than or equal
>= or ge : greater than or equal
== or eq : equal
!= or ne : not equal
< or lt : less than
> or gt : greater than

Example usages:

ss sport = :http
ss dport = :http
ss dport > :1024
ss sport < :32000
ss sport eq :22
ss dport != :22
ss state connected sport = :http
ss ( sport = :http or sport = :https )
ss -o state fin-wait-1 ( sport = :http or sport = :https ) dst 192.168.1/24

Help Options

# ss -h
Usage: ss [ OPTIONS ]
       ss [ OPTIONS ] [ FILTER ]
   -h, --help           this message
   -V, --version        output version information
   -n, --numeric        don't resolve service names
   -r, --resolve        resolve host names
   -a, --all            display all sockets
   -l, --listening      display listening sockets
   -o, --options        show timer information
   -e, --extended       show detailed socket information
   -m, --memory         show socket memory usage
   -p, --processes      show process using socket
   -4, --ipv4           display only IPv4 sockets
   -6, --ipv6           display only IPv6 sockets
   -0, --packet         display PACKET sockets
   -t, --tcp            display only TCP sockets
   -u, --udp            display only UDP sockets
   -d, --dccp           display only DCCP sockets
   -w, --raw            display only RAW sockets
   -x, --unix           display only Unix domain sockets

By mastering these commands and filters, administrators can efficiently monitor and troubleshoot network connections on Linux systems.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

network troubleshootingLinuxnetstatsocket monitoringss command
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment