The ss (socket statistics) command is the modern replacement for netstat. It is faster, more feature-rich, and provides more detailed information about network connections. Since netstat is deprecated in many distributions, learning ss is essential.
Why ss Over netstat?
- Speed — ss reads directly from kernel netlink, while netstat parses /proc files
- More information — ss shows TCP internal state, congestion info, and memory usage
- Better filtering — ss supports powerful expression-based filtering
- Always available — Part of iproute2, installed on all modern distros
Basic Usage
# Show all connections
ss
# Show listening sockets
ss -l
# Show TCP connections
ss -t
# Show UDP connections
ss -u
# Show listening TCP sockets with process names
ss -tlnp
# Flags:
# -t TCP
# -u UDP
# -l Listening sockets only
# -n Show port numbers (not service names)
# -p Show process using the socket
# -a Show all sockets (listening and non-listening)
# -s Show summary statistics
# -e Show extended information
# -m Show memory usage
# -i Show internal TCP informationCommon Tasks
Find What Is Listening on a Port
# What process is using port 80?
sudo ss -tlnp sport = :80
# Output:
# State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
# LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1234,fd=6))
# Check all listening ports
sudo ss -tlnpCount Connections by State
# Summary statistics
ss -s
# Total: 256
# TCP: 185 (estab 120, closed 15, orphaned 2, timewait 48)
# Count connections per state
ss -t state established | wc -l
ss -t state time-wait | wc -l
ss -t state close-wait | wc -lFind Connections to a Specific Service
# All connections to MySQL
ss -tn dport = :3306
# All connections to web server
ss -tn dport = :443
# Connections from a specific IP
ss -tn src 192.168.1.100
# Connections to a specific remote IP
ss -tn dst 10.0.0.5Advanced Filtering
# Connections in ESTABLISHED state
ss -t state established
# Connections with send queue not empty (potential issues)
ss -t -o state established "( send-q > 0 )"
# High-port connections only
ss -tn sport gt :1024
# Connections to port range
ss -tn dport ge :8000 and dport le :9000
# Multiple conditions
ss -tn state established src 10.0.0.0/8Detailed Connection Information
# Show TCP internal state (congestion window, RTT, etc.)
ss -ti
# Example output:
# cubic wscale:7,7 rto:204 rtt:1.5/0.75 ato:40 mss:1460
# pmtu:1500 rcvmss:1460 advmss:1460 cwnd:10 bytes_sent:1234
# bytes_received:5678 segs_out:100 segs_in:150
# Show memory usage per socket
ss -tm
# Show timer information
ss -tonetstat to ss Cheat Sheet
# netstat command → ss equivalent
# netstat -tlnp → ss -tlnp
# netstat -an → ss -an
# netstat -s → ss -s
# netstat -r → ip route (not ss)
# netstat -i → ip -s link (not ss)
# netstat -g → ip maddr (not ss)
# netstat -an | grep LISTEN → ss -ln
# netstat -an | grep ESTABLISHED → ss state establishedMonitoring Scripts
#!/bin/bash
# Connection monitor — shows connection count by state
echo "=== Connection Summary ==="
echo "Established: $(ss -t state established | tail -n +2 | wc -l)"
echo "Time-Wait: $(ss -t state time-wait | tail -n +2 | wc -l)"
echo "Close-Wait: $(ss -t state close-wait | tail -n +2 | wc -l)"
echo "Listening: $(ss -tl | tail -n +2 | wc -l)"
echo ""
echo "=== Top 10 Remote IPs ==="
ss -tn state established | tail -n +2 |
awk "{print $5}" | cut -d: -f1 | sort | uniq -c | sort -rn | head -10