netstat vs ss usage guide on Linux
Welcome to netstat vs ss usage guide on Linux which tries to teach you usage of netstat and ss commands using examples. We’ll start off this guide by defining what ss and netstat commands are, what they are used for, and demonstrate how they are used for network analysis and troubleshooting using examples.
What’s netstat?
Netstat is a command-line network utility used to display network connections for the TCP/UDP, network protocol statistics, interface statistics, routing tables, masquerade connections, multicast memberships e.t.c. netstat program is obsolete and its replacement is ss. Some netstat commands have been replaced by ss commands, for example:
$ netstat -r replaced by $ ip route
$ netstat -i replaced by $ ip -s lin
$ netstat -g replaced by $ ip maddr.
What is ss?
ss is a utility used to investigate sockets in Linux and Unix systems. It shows information similar to netstat and able to dump socket statistics. ss command can display more than TCP and state information as compared to other tools. By default, ss displays a list of open non-listening sockets (e.g. TCP/UNIX/UDP) that have established a connection.
netstat vs ss usage guide on Linux with examples:
From this section, we’ll look at examples of ss and netstat command line tools used in Linux and Unix systems. On all latest distributions, these commands should be readily available and you can invoke them by typing the commands on the terminal. If your distribution doesn’t ship with any of the tools, consult its documentation on how to install them.
The following is command line usage of netstat command. You can later look at ss command usage and do a comparison, you’ll then decide which tool works best for you. Just note that netstat will be phased out soon since its deprecated, so you’re advised to learn using ss command.
netstat usage:
Common command line options used with netstat command are:
-l, –listening display listening server sockets
-a, –all display all sockets (default: connected)
-r, –route display routing table
–i, –interfaces display interface table
-g, –groups display multicast group memberships
-s, –statistics display networking statistics (like SNMP)
-M, –masquerade display masqueraded connections
-v, –verbose be verbose
-W, –wide don’t truncate IP addresses
-n, –numeric don’t resolve names
-e, –extend display other/more information
-p, –programs display PID/Program name for sockets
-o, –timers display timers
-F, –fib display Forwarding Information Base (default)
-C, –cache display routing cache instead of FIB
Usage Examples:
Display all sockets ( default: connected)
To get a list of all active connections from different protocols on your system, run:
$ netstat -a
List all UDP ports
$ netstat -au
List all TCP ports:
$ netstat -at
List all listening ports:
$ netstat -l
List all listening tcp ports:
$ netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdo:18083 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:37959 0.0.0.0:* LISTEN
tcp 0 0 localhost.locald:mshvlm 0.0.0.0:* LISTEN
List all listening udp ports:
To list listening udp ports, use the option -lu
$ netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:52179 0.0.0.0:*
udp 0 0 0.0.0.0:mountd 0.0.0.0:*
udp 0 0 dev.jmtai.com:bootpc 0.0.0.0:*
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
....
Display kernel routing table
Option -r is used to view kernel routing table.
$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 tun0
default _gateway 0.0.0.0 UG 0 0 0 wlp1s0
10.10.46.0 _gateway 255.255.255.0 UG 0 0 0 tun0
10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
See which process is listening on a specific port:
Format is: netstat -pln | grep | awk ‘print $NF’. As an example to see which process is listening on port 22:
$ sudo netstat -pln | grep 22 | awk 'print $NF'
7885/sshd
To confirm this, check from ps command.
$ ps aux | grep 7885
root 7885 0.0 0.0 40692 5452 ? Ss 18:54 0:00 /usr/bin/sshd -D
Display only IPv4 listening ports (TCP and UDP)
Netstat by default gives you a list of both IPv4 and IPv6 listening port list. To get a list of only IPv4, use:
$ sudo netstat -vutlnp --listening -4
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7885/sshd
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:18083 0.0.0.0:* LISTEN 429/vboxwebsrv
tcp 0 0 0.0.0.0:37959 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 678/mpd
tcp 0 0 0.0.0.0:49743 0.0.0.0:* LISTEN 422/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/init
...
Display network statics of all interfaces
Interface stats can be viewed using the command option -s.
$ sudo netstat -s
To display tcp stats use -st, for udp use -su
Display multicast group membership for both IPv4 and IPv6
Multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. To get a multicast group membership use the option -g
$ sudo netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
wlp1s0 1 224.0.0.251
wlp1s0 1 all-systems.mcast.net
tun0 1 224.0.0.251
tun0 1 all-systems.mcast.net
lo 1 ff02::1
lo 1 ff01::1
wlp1s0 1 ff02::fb
wlp1s0 1 ff02::1:ff48:91f8
wlp1s0 1 ff02::1
wlp1s0 1 ff01::1
tun0 1 ff02::fb
tun0 1 ff02::1
tun0 1 ff01::1
List all listening UNIX ports
$ sudo netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 21766 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 276493 /run/user/1000/pulse/cli
unix 2 [ ACC ] STREAM LISTENING 21789 /run/user/1000/i3/ipc-socket.644
unix 2 [ ACC ] STREAM LISTENING 49182 /tmp/qtsingleapp-HipCha-9b70-3e8
unix 2 [ ACC ] STREAM LISTENING 21765 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 18468 /run/gssproxy.sock
unix 2 [ ACC ] STREAM LISTENING 2609 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 2620 /run/rpcbind.sock
...
Find port used by a running process
$ sudo netstat -ap | grep ssh
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 7885/sshd
tcp6 0 0 [::]:ssh [::]:* LISTEN 7885/sshd
Display Domain names where possible for IP address:
$ netstat -ltF
This command will list listening tcp ports but show domain names on the output.
Display output in continuous mode
Use –c option to have the output display continuously by refreshing every five seconds.
$ netstat -ac 5
ss usage:
This section covers ss command usage with examples. The commands might miss some of your favorites so feel free to drop a comment for any addition. ss command gets all of its data from the kernel namespace hence can get more data as compared to netstat.
Common options used with ss command are:
–n, –numeric don’t resolve service names
-r, –resolve : resolve host hostnames.
-l, –listening display listening sockets
-o, –options show timer information
-e, –extended show detailed socket information
-m, –memory show socket memory usage
-p, –processes show process using socket
–s, –summary show socket usage summary
-N, –net switch to the specified network namespace name
-4, –ipv4 display only IP version 4 sockets
-6, –ipv6 display only IP version 6 sockets
–0, –packet display PACKET sockets
-t, –tcp display only TCP sockets
-S, –sctp display only SCTP sockets
-u, –udp display only UDP sockets
-w, –raw display only RAW sockets
-x, –unix display only Unix domain sockets
-f, –family=FAMILY display sockets of type FAMILY
Examples;
List all connections
To list all connections, just execute ss command without any option passed to it.
# ss
Show all listing tcp sockets including the corresponding process
The option used is -lt as described on options list shown previously.
# ss -tlp
Show all sockets connecting to 192.168.1.10 on port 443
# ss -t dst 192.168.1.10:443
Show all ssh related connection
# ss -t state established '( dport = :ssh or sport = :ssh )'
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 192.168.0.16:60334 192.168.20.3:ssh
List tcp and udp ports with no hostname resolution
# ss -tun
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.0.16:41464 216.58.223.74:443
tcp ESTAB 0 0 192.168.0.16:57354 5.160.200.106:80
tcp ESTAB 0 0 192.168.0.16:60334 88.198.68.148:22
....
Print process which owns the connection
# ss -ltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:(("sshd",pid=7885,fd=3))
LISTEN 0 64 0.0.0.0:shilp 0.0.0.0:*
LISTEN 0 100 127.0.0.1:18083 0.0.0.0:* users:(("vboxwebsrv",pid=429,fd=9))
...
Show socket usage summary
Pass -s option to get a list of socket related stats, -t and -u can be used to show only tcp or udp stats respectively. The default will show both.
# ss -s
Total: 818 (kernel 946)
TCP: 65 (estab 42, closed 3, orphaned 4, synrecv 0, timewait 1/0), ports 0
Transport Total IP IPv6
* 946 - -
RAW 1 0 1
UDP 14 8 6
TCP 62 56 6
INET 77 64 13
FRAG 0 0 0
Show timer information
Timer information can be obtained using -o option.
# ss -tn -o
Display only raw packets
Use -w command option,
# ss -w
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 *:ipv6-icmp *:*
That’s the end of netstat vs ss usage guide on Linux, we’ll keep updating the list so follow us on twitter and facebook to get latest updates.
https://www.computingpost.com/netstat-vs-ss-usage-guide-on-linux/?feed_id=18250&_unique_id=636ce8bac6c35