Why the ss Command Beats netstat for Fast Socket Monitoring

The ss command is a modern Linux utility for displaying socket statistics, covering PACKET, TCP, UDP, DCCP, RAW, and Unix domain sockets, and it presents more detailed state information than traditional tools.

Key Capabilities

List all TCP sockets

List all UDP sockets

Show persistent connections for ssh, ftp, http/https

Identify local processes connected to the X server

Filter by state (e.g., connected, SYN‑RECV, TIME‑WAIT), address, or port

Display sockets in specific states such as FIN‑WAIT‑1

Performance Comparison with netstat

# time netstat -ant | grep EST | wc -l
3100
real 0m12.960s
user 0m0.334s
sys 0m12.561s
# time ss -o state established | wc -l
3204
real 0m0.030s
user 0m0.005s
sys 0m0.026s

The timing results clearly show that ss counts concurrent connections far more efficiently than netstat.

Common ss Commands

ss -l                     # Show all locally listening ports
ss -pl                    # Show process name for each socket
ss -t -a                  # List all TCP sockets
ss -u -a                  # List all UDP sockets
ss -o state established '( dport = :smtp or sport = :smtp )'   # Show established SMTP connections
ss -o state established '( dport = :http or sport = :http )'   # Show established HTTP connections
ss -x src /tmp/.X11-unix/*                               # Find processes connected to the X server
ss -s                     # Summarize current socket statistics

Filtering by State, IP, and Port

Examples of state filters:

# ss -s
Total: 3519 (kernel 3691)
TCP: 26557 (estab 3163, closed 23182, orphaned 194, synrecv 0, timewait 23182/0), ports 1452
...

Filtering by IP address:

ss src 120.33.31.1               # Show connections from this IP
ss src 120.33.31.1:http          # Show connections from this IP on port 80

Filtering by destination port with operators:

ss dport > :1024                # Ports greater than 1024
ss dport <= :80                # Ports less than or equal to 80
ss dport != :22                # Exclude port 22

Why ss Is Faster Than netstat

netstat

traverses each PID directory under /proc, while ss reads pre‑aggregated statistics directly from /proc/net, resulting in significantly lower CPU usage and execution time.

ss Help Overview

# ss -h
Usage: ss [ OPTIONS ]
  -h, --help           this message
  -V, --version        output version information
  -n, --numeric        don't resolve service names
  -r, --resolve        resolve host names
  -a, --all            display all sockets
  -l, --listening      display listening sockets
  -o, --options        show timer information
  -e, --extended       show detailed socket information
  -m, --memory         show socket memory usage
  -p, --processes      show process using socket
  -4, --ipv4           display only IPv4 sockets
  -6, --ipv6           display only IPv6 sockets
  -0, --packet         display PACKET sockets
  -t, --tcp            display only TCP sockets
  -u, --udp            display only UDP sockets
  -d, --dccp           display only DCCP sockets
  -w, --raw            display only RAW sockets
  -x, --unix           display only Unix domain sockets
  -A, --query=QUERY    specify socket type query
  -D, --diag=FILE      dump raw TCP socket info to FILE
  -F, --filter=FILE    read filter information from FILE

These options allow fine‑grained control over the information displayed, making ss a powerful tool for system administrators and developers monitoring network activity.