Why the ss Command Beats netstat for Fast Socket Monitoring
The article explains how the Linux ss command provides a faster, more detailed view of TCP/UDP sockets than netstat, lists its key features, demonstrates practical examples for filtering by state, address, and port, and shows how to use various ss options for effective network diagnostics.
The ss command displays socket status on Linux, supporting PACKET, TCP, UDP, DCCP, RAW, and Unix domain sockets, and offers richer TCP state information than traditional tools.
Key Capabilities of ss
List all TCP sockets
List all UDP sockets
Show persistent connections (ssh, ftp, http, https)
Display processes connected to the X server
Filter by state, address, or port
Show sockets in FIN‑WAIT‑1 and other states
Performance Comparison with netstat
Running time netstat -ant | grep EST | wc -l on a test server yields 3100 connections in real 0m12.960s, while time ss -o state established | wc -l reports 3204 connections in just real 0m0.030s. The result demonstrates that ss is dramatically faster because it reads pre‑aggregated data from /proc/net instead of traversing each /proc/[PID] directory.
Common ss Commands
# ss -l # show all listening ports
# ss -pl # show process name for each socket
# ss -t -a # list all TCP sockets
# ss -u -a # list all UDP sockets
# ss -o state established '( dport = :smtp or sport = :smtp )' # SMTP connections
# ss -x src /tmp/.X11-unix/* # processes connected to X server
# ss -s # summary of socket usageFiltering by State
Typical state filters include established, syn‑sent, syn‑recv, fin‑wait‑1, fin‑wait‑2, time‑wait, closed, listen, etc. Example to list HTTP connections in FIN‑WAIT‑1:
# ss -o state fin-wait-1 '( sport = :http or sport = :https )'Address and Port Filtering
Use src or dst followed by an address pattern, and dport / sport with operators ( <=, >=, ==, !=, <, >) to refine results. Examples:
# ss src 120.33.31.1 # connections from this IP
# ss dport = :http # sockets using HTTP port
# ss sport > :1024 # source ports greater than 1024
# ss state connected sport = :http # established HTTP connectionsWhy ss Is Faster
netstat iterates through each PID directory under /proc, while ss reads aggregated socket statistics directly from /proc/net, resulting in far lower CPU and time consumption.
Help and Options Overview
# ss -h # display help
# ss -V # version
# ss -n # numeric output (no name resolution)
# ss -a # show all sockets
# ss -l # listening sockets only
# ss -o # show timer information
# ss -e # extended socket details
# ss -p # show process using each socket
# ss -t # TCP only
# ss -u # UDP only
# ss -x # Unix domain sockets only
# ss -4 / -6 # IPv4 or IPv6 onlyThese commands and filters enable administrators to quickly diagnose network performance issues, replace netstat in monitoring scripts, and obtain precise socket information with minimal overhead.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.