BestHub
Sign in
Operations 9 min read

Why ss Beats netstat: Fast Socket Monitoring Commands Explained

This article introduces the Linux ss command for displaying socket statistics, compares its speed and capabilities with netstat, provides common usage examples, explains state filters, and shows why ss is the preferred tool for efficient network monitoring and troubleshooting.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Why ss Beats netstat: Fast Socket Monitoring Commands Explained

The ss command displays socket status on Linux, supporting PACKET, TCP, UDP, DCCP, RAW, and Unix domain sockets, and provides detailed TCP state information, making it a fast and effective tool for tracking IP connections.

Many popular Linux distributions include ss, and it is recommended as a replacement for parts of netstat (e.g., netstat -ant).

Common ss commands

ss -l – show all locally listening ports

ss -pl – show each process with its open sockets

ss -t -a – list all TCP sockets

ss -u -a – list all UDP sockets

ss -o state established '( dport = :smtp or sport = :smtp )' – show established SMTP connections

ss -o state established '( dport = :http or sport = :http )' – show established HTTP connections

ss -x src /tmp/.X11-unix/* – find processes connected to the X server

ss -s – display a summary of current socket information

Example: ss vs. netstat performance

netstat
# time netstat -ant | grep EST | wc -l
3100
real 0m12.960s
user 0m0.334s
sys 0m12.561s
# time ss -o state established | wc -l
3204
real 0m0.030s
user 0m0.005s
sys 0m0.026s

The results clearly show that ss is much faster at counting concurrent connections.

ss summary output

# ss -s
Total: 3519 (kernel 3691)
TCP: 26557 (estab 3163, closed 23182, orphaned 194, synrecv 0, timewait 23182/0), ports 1452

Transport   Total   IP   IPv6
*           3691    -    -
RAW          2      2    0
UDP         10      7    3
TCP        3375   3368   7
INET       3387   3377  10
FRAG         0      0    0

Listing listening ports:

# ss -lRecv-Q Send-Q Local Address:Port Peer Address:Port
0 10 :::5989 :::*
0 5 *:rsync *:*
0 128 :::sunrpc :::*
0 128 *:sunrpc *:*
0 511 *:http *:*
0 128 :::ssh :::*
0 128 *:ssh *:*
0 128 :::35766 :::*
0 128 127.0.0.1:ipp *:*
0 128 ::1:ipp :::*
0 100 ::1:smtp :::*
0 100 127.0.0.1:smtp *:*
0 511 *:https *:*
0 100 :::1311 :::*
0 5 *:5666 *:*
0 128 *:3044 *:*

Common ss state filters

established

syn-sent

syn-recv

fin-wait-1

fin-wait-2

time-wait

closed

close-wait

last-ack

listen

closing

all – all of the above states

connected – all states except listen and closed

synchronized – all connected states except syn-sent

bucket – minisockets (time-wait, syn-recv)

big – opposite of bucket

IP address filtering

Use ss src ADDRESS_PATTERN to filter by source address, e.g.:

ss src 120.33.31.1
# list connections from 120.33.31.1
ss src 120.33.31.1:http
ss src 120.33.31.1:8

Port filtering

Use ss dport OP PORT where OP is an operator (<=, >=, ==, !=, <, >). Examples:

ss sport = :http
ss dport = :http
ss dport > :1024
ss sport < :32000
ss sport eq :22
ss dport != :22
ss state connected sport = :http
ss ( sport = :http or sport = :https )
ss -o state fin-wait-1 ( sport = :http or sport = :https ) dst 192.168.1/24

Why ss is faster than netstat

netstat

traverses each PID directory under /proc, while ss reads statistics directly from /proc/net, resulting in lower resource consumption and much faster execution.

ss help output

# ss -h
Usage: ss [ OPTIONS ]
       ss [ OPTIONS ] [ FILTER ]
-h, --help           this message
-V, --version        output version information
-n, --numeric        don't resolve service names
-r, --resolve        resolve host names
-a, --all            display all sockets
-l, --listening      display listening sockets
-o, --options        show timer information
-e, --extended       show detailed socket information
-m, --memory         show socket memory usage
-p, --processes      show process using socket
-i, --info           show internal TCP information
-s, --summary        show socket usage summary
-4, --ipv4           display only IPv4 sockets
-6, --ipv6           display only IPv6 sockets
-0, --packet         display PACKET sockets
-t, --tcp            display only TCP sockets
-u, --udp            display only UDP sockets
-d, --dccp           display only DCCP sockets
-w, --raw            display only RAW sockets
-x, --unix           display only Unix domain sockets
-f, --family=FAMILY  display sockets of type FAMILY
-A, --query=QUERY    QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]
-D, --diag=FILE     Dump raw information about TCP sockets to FILE
-F, --filter=FILE    read filter information from FILE
        FILTER := [ state TCP-STATE ] [ EXPRESSION ]
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

networkSocketss
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment