Why the ss Command Beats netstat for Fast Socket Monitoring
Learn how the Linux ss utility provides faster, more detailed socket statistics than netstat, covering TCP/UDP listings, state filtering, process association, and practical command examples, while explaining why ss reads kernel data directly for superior performance in system monitoring.
What is ss?
The
sscommand displays socket status on Linux, showing PACKET, TCP, UDP, DCCP, RAW, Unix domain sockets and more, providing richer TCP and state information than many other tools.
Why use ss?
It is a fast, efficient tool for tracking IP connections and sockets, capable of listing all TCP sockets, all UDP sockets, persistent connections (ssh, ftp, http, https), local processes connected to the X server, and supports filtering by state, address, or port.
ss vs netstat
Most popular Linux distributions include
ss, and many monitoring tools rely on it. Replacing
netstatwith
ssimproves performance. For example:
<code>time netstat -ant | grep EST | wc -l
3100
real 0m12.960s
user 0m0.334s
sys 0m12.561s
time ss -o state established | wc -l
3204
real 0m0.030s
user 0m0.005s
sys 0m0.026s</code>The results show that
sscounts concurrent connections far faster than
netstat.
Common ss commands
ss -l– show all locally listening ports
ss -pl– show the process owning each socket
ss -t -a– list all TCP sockets
ss -u -a– list all UDP sockets
ss -o state established '( dport = :smtp or sport = :smtp )'– show established SMTP connections
ss -o state established '( dport = :http or sport = :http )'– show established HTTP connections
ss -x src /tmp/.X11-unix/*– find processes connected to the X server
ss -s– display a summary of socket usage
Example summary output
<code># ss -s
Total: 3519 (kernel 3691)
TCP: 26557 (estab 3163, closed 23182, orphaned 194, synrecv 0, timewait 23182/0), ports 1452
Transport Total IP IPv6
* 3691 - -
RAW 2 2 0
UDP 10 7 3
TCP 3375 3368 7
INET 3387 3377 10
FRAG 0 0 0</code>Listing listening ports
<code># ss -l
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 10 :::5989 :::*
0 5 *:rsync *:*
...</code>Filtering by address or port
Address filtering:
<code>ss src 120.33.31.1 # connections from 120.33.31.1
ss src 120.33.31.1:http # connections from 120.33.31.1 on port 80</code>Port filtering uses operators such as
<=,
>=,
==,
!=,
<,
>:
<code>ss dport = :http
ss dport > :1024
ss sport = :22
ss state connected sport = :http</code>Why ss is faster than netstat
netstattraverses each PID directory under
/proc, while
ssreads aggregated statistics directly from
/proc/net, resulting in far lower CPU and time consumption.
ss help overview
<code># ss -h
Usage: ss [ OPTIONS ] [ FILTER ]
-h, --help this message
-V, --version output version information
-n, --numeric don't resolve service names
-r, --resolve resolve host names
-a, --all display all sockets
-l, --listening display listening sockets
-o, --options show timer information
-e, --extended show detailed socket information
-m, --memory show socket memory usage
-p, --processes show process using socket
-i, --info show internal TCP information
-s, --summary show socket usage summary
-4, --ipv4 display only IPv4 sockets
-6, --ipv6 display only IPv6 sockets
-0, --packet display PACKET sockets
-t, --tcp display only TCP sockets
-u, --udp display only UDP sockets
-d, --dccp display only DCCP sockets
-w, --raw display only RAW sockets
-x, --unix display only Unix domain sockets
-f, --family=FAMILY display sockets of type FAMILY
-A, --query=QUERY --socket=QUERY
-D, --diag=FILE Dump raw information about TCP sockets to FILE
-F, --filter=FILE read filter information from FILE</code>Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.