Linux tools: How to use the ss command | Enable Sysadmin – Red Hat

If you’re like me, you still cling to soon-to-be-deprecated commands like ifconfig, nslookup, and netstat. The new replacements are ip, dig, and ss, respectively. It’s time to (reluctantly) put legacy utilities aside and head into the future with ss. The ip command is worth mentioning here because some of netstat’s functionality has been replaced by ip. This article covers the essentials for the ss command so you don’t have to dig (no pun intended) for them.

Formally, ss is the socket statistics command that replaces netstat. In this article, I provide netstat commands and their ss overrides. Michale Prokop, the ss developer, made it easier for us to transition to ss from netstat by making some of the netstat options work the same way in ss.

For example, to display TCP sockets, use

the -t option: $ netstat -t Active Internet connections (serverless) Proto Recv-Q Send-Q Local address Foreign address State tcp 0 0 rhel8:ssh khess-mac:62036 ESTABLISHED $ ss -t State recv-q Send-Q Local address:Port Pair Address:Port ESTAB 0 0

You can see that the information given is essentially the same, But to better mimic what you see in the netstat command

, use the -r (solve) option: $ ss -tr State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 rhel8:ssh khess-mac:62036

And to see the port numbers instead of their translations, use the -n: $ ss

-ntr State Recv-Q Send-Q Local Address option: Port Peer Address: ESTAB Port 0 0 rhel8:22 khess-mac:62036

It’s not 100% necessary than netstat and ss mesh, but it makes the transition a bit easier. So, try your netstat options on hold before entering the man page or the Internet for answers, and you might be pleasantly surprised with the results.

For example, the netstat command with the old wait options -an produces comparable results (which are too long to show here in full): $ netstat -an

|grep LISTEN tcp 0 0* LISTEN tcp6 0 0 :::22 :::* LISTEN unix 2 [ ACC ] STREAM LISTENING 28165 /run/user/0/systemd/private unix 2 [ ACC ] STREAM LISTENING 20942 /var/lib/sss/pipes/private/sbus-dp_implicit_files.642 unix 2 [ ACC ] STREAM LISTENING 28174 /run/user/0/bus unix 2 [ ACC ] STREAM LISTENING 20241 /var/run/lsm/ipc/simc <truncated> $ ss -an |grep LISTEN u_str LISTEN 0 128 /run/user/0/systemd/private 28165 * 0 u_str LISTEN 0 128 /var/lib/sss/pipes/private/sbus-dp_implicit_files.642 20942 * 0 u_str LISTEN 0 128 /run/user/0/bus 28174 * 0 u_str LISTEN 0 5 /var/run/lsm/ipc/simc 20241 * 0 <truncated>

TCP entries fall at the end of the ss command display and at the beginning of netstat. Therefore, there are design differences even though the information displayed is actually the same.

If you’re wondering which netstat commands have been replaced by the ip command, here’s one for you: $ netstat

-g IPv6/IPv4 Group Memberships Interface RefCnt Group – – – lo 1 enp0s3 1 lo 1 ff02::1 lo 1 ff01::1 enp0s3 1 ff02::1:ffa6:ab3e enp0s3 1 ff02::1:ff8d:912c enp0s3 1 ff02: :1 enp0s3 1 ff01: :1 $ IP maddr 1: lo inet inet6 ff02::1 inet6 ff01::1 2: enp0s3 link 01:00:5e:00:00:01 link 33:33:00:00:00:01 link 33:33:ff:8d:91:2c link 33:33:ff:a6:ab:3e inet6 ff02::1:ffa6:ab3e inet6 ff02::1:ff8d:912c inet6 ff02::1 inet6 ff01::1 inet6 ff01::1

The ss command is not perfect (sorry, Michael). In fact, there is a significant annoyance of sss. You can try this one for yourself to compare the two

: $netstat -s Ip: Forwarding: 2 6231 packets received in total 2 with invalid addresses 0 forwarded 0 incoming packets discarded 3104 incoming packets delivered 2011 requests sent 243 discarded due to path missing <truncated> $ ss -s Total: 182 TCP: 3 (estab 1, closed 0, orphan 0, timewait 0) Total IP transport IPv6 RAW 1 0 1 UDP 3 2 1 TCP 3 2 1 INET 7 4 3 FRAG 0 0 0

If you find out how to display the same information with ss, let me know


Perhaps as ss evolves, it will include more features. I guess Michael or someone else could always look at the netstat command to get those stats from him. For me, I prefer netstat, and I’m not sure exactly why it’s deprecated in favor of ss. The output of ss is less human-readable in almost all cases.

What about ss makes it a better choice than netstat? I guess I could ask the same question to the other network tool utilities as well. I don’t find anything wrong with them. In my opinion, unless you’re significantly improving one existing utility, why bother disapproving the other?

There, you have the ss command in a nutshell. As netstat fades into oblivion, I’m sure I’ll eventually embrace ss as its successor.

Do you want more information about networking topics? Check out the Linux networking cheat sheet.

Contact US