If you're like me, you still cling to soon-to-be-deprecated commands like
netstat. The new replacements are
ss, respectively. It's time to (reluctantly) let go of legacy utilities and head into the future with
ip command is worth a mention here because part of
netstat's functionality has been replaced by
ip. This article covers the essentials for the
ss command so that you don't have to dig (no pun intended) for them.
ss is the socket statistics command that replaces
netstat. In this article, I provide
netstat commands and their
ss replacements. Michale Prokop, the developer of
ss, made it easy for us to transition into
netstat by making some of
netstat's options operate in much the same fashion in
For example, to display TCP sockets, use the
$ netstat -t Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 rhel8:ssh khess-mac:62036 ESTABLISHED $ ss -t State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036
You can see that the information given is essentially the same, but to better mimic what you see in the
netstat command, use the
-r (resolve) option:
$ ss -tr State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 rhel8:ssh khess-mac:62036
And to see port numbers rather than their translations, use the
$ ss -ntr State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 rhel8:22 khess-mac:62036
It isn't 100% necessary that
ss mesh, but it does make the transition a little easier. So, try your standby
netstat options before hitting the man page or the internet for answers, and you might be pleasantly surprised at the results.
For example, the
netstat command with the old standby options
-an yield comparable results (which are too long to show here in full):
$ netstat -an |grep LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN unix 2 [ ACC ] STREAM LISTENING 28165 /run/user/0/systemd/private unix 2 [ ACC ] STREAM LISTENING 20942 /var/lib/sss/pipes/private/sbus-dp_implicit_files.642 unix 2 [ ACC ] STREAM LISTENING 28174 /run/user/0/bus unix 2 [ ACC ] STREAM LISTENING 20241 /var/run/lsm/ipc/simc <truncated> $ ss -an |grep LISTEN u_str LISTEN 0 128 /run/user/0/systemd/private 28165 * 0 u_str LISTEN 0 128 /var/lib/sss/pipes/private/sbus-dp_implicit_files.642 20942 * 0 u_str LISTEN 0 128 /run/user/0/bus 28174 * 0 u_str LISTEN 0 5 /var/run/lsm/ipc/simc 20241 * 0 <truncated>
The TCP entries fall at the end of the
ss command's display and at the beginning of
netstat's. So, there are layout differences even though the displayed information is really the same.
If you're wondering which
netstat commands have been replaced by the
ip command, here's one for you:
$ netstat -g IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- ------ --------------------- lo 1 all-systems.mcast.net enp0s3 1 all-systems.mcast.net lo 1 ff02::1 lo 1 ff01::1 enp0s3 1 ff02::1:ffa6:ab3e enp0s3 1 ff02::1:ff8d:912c enp0s3 1 ff02::1 enp0s3 1 ff01::1 $ ip maddr 1: lo inet 188.8.131.52 inet6 ff02::1 inet6 ff01::1 2: enp0s3 link 01:00:5e:00:00:01 link 33:33:00:00:00:01 link 33:33:ff:8d:91:2c link 33:33:ff:a6:ab:3e inet 184.108.40.206 inet6 ff02::1:ffa6:ab3e inet6 ff02::1:ff8d:912c inet6 ff02::1 inet6 ff01::1
ss command isn't perfect (sorry, Michael). In fact, there is one significant
ss bummer. You can try this one for yourself to compare the two:
$ netstat -s Ip: Forwarding: 2 6231 total packets received 2 with invalid addresses 0 forwarded 0 incoming packets discarded 3104 incoming packets delivered 2011 requests sent out 243 dropped because of missing route <truncated> $ ss -s Total: 182 TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0) Transport Total IP IPv6 RAW 1 0 1 UDP 3 2 1 TCP 3 2 1 INET 7 4 3 FRAG 0 0 0
If you figure out how to display the same info with
ss, please let me know.
ss evolves, it will include more features. I guess Michael or someone else could always just look at the
netstat command to glean those statistics from it. For me, I prefer
netstat, and I'm not sure exactly why it's being deprecated in favor of
ss. The output from
ss is less human-readable in almost every instance.
What do you think? What about
ss makes it a better option than
netstat? I suppose I could ask the same question of the other
net-tools utilities as well. I don't find anything wrong with them. In my mind, unless you're significantly improving an existing utility, why bother deprecating the other?
There, you have the
ss command in a nutshell. As
netstat fades into oblivion, I'm sure I'll eventually embrace
ss as its successor.
Want more on networking topics? Check out the Linux networking cheat sheet.