Why ss Beats netstat: Fast Linux Socket Monitoring Commands
The article explains how the Linux ss command provides comprehensive socket statistics, lists its most useful options, demonstrates performance advantages over netstat with timing examples, and shows how to filter by state, address, or port for efficient system monitoring.
Overview of the ss command
The ss utility displays socket status for PACKET, TCP, UDP, DCCP, RAW, and Unix domain sockets, offering more TCP and state information than traditional tools and serving as a fast, effective way to track IP connections.
Key capabilities
All TCP sockets
All UDP sockets
Persistent SSH/FTP/HTTP/HTTPS connections
Local processes connected to the X server
Filtering by state (e.g., connected, SYN‑RECV, TIME‑WAIT), address, or port
Listing sockets in FIN‑WAIT‑1 state and more
Performance comparison with netstat
# time netstat -ant | grep EST | wc -l
3100
real 0m12.960s
user 0m0.334s
sys 0m12.561s
# time ss -o state established | wc -l
3204
real 0m0.030s
user 0m0.005s
sys 0m0.026sThe results clearly show that ss counts concurrent connections far more efficiently than netstat.
Common ss commands
ss -l # show all listening ports
ss -pl # show process using each socket
ss -t -a # list all TCP sockets
ss -u -a # list all UDP sockets
ss -o state established '( dport = :smtp or sport = :smtp )'
ss -o state established '( dport = :http or sport = :http )'
ss -x src /tmp/.X11-unix/*
ss -s # summary of socket usageFiltering examples
# ss -s
Total: 3519 (kernel 3691)
TCP: 26557 (estab 3163, closed 23182, orphaned 194, synrecv 0, timewait 23182/0), ports 1452
# ss -lRecv-Q Send-Q Local Address:Port Peer Address:Port
0 10 :::5989 *:*
0 5 *:rsync *:*
... (additional lines omitted for brevity)State filters
established
syn-sent
syn-recv
fin-wait-1
fin-wait-2
time-wait
closed
close-wait
last-ack
listen
closing
all
connected
synchronized
bucket
bigIP and port filtering
ss src 120.33.31.1 # connections from this IP
ss src 120.33.31.1:http # connections from this IP on port 80
ss dport = :http # destination port http
ss sport > :1024 # source ports greater than 1024
ss sport eq :22 # source port equal to 22
ss state connected sport = :http # connected HTTP trafficWhy ss is faster than netstat
netstatiterates through each PID directory under /proc, while ss reads aggregated statistics directly from /proc/net, resulting in significantly lower resource usage and execution time.
ss help summary
# ss -h
Usage: ss [ OPTIONS ] [ FILTER ]
-h, --help this message
-V, --version output version information
-n, --numeric don't resolve service names
-r, --resolve resolve host names
-a, --all display all sockets
-l, --listening display listening sockets
-o, --options show timer information
-e, --extended show detailed socket information
-m, --memory show socket memory usage
-p, --processes show process using socket
-4, --ipv4 display only IPv4 sockets
-6, --ipv6 display only IPv6 sockets
-t, --tcp display only TCP sockets
-u, --udp display only UDP sockets
-x, --unix display only Unix domain sockets
... (additional options omitted for brevity)Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Linux
Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.