netstat vs ss usage guide on Linux

ComputingPost
7 min readNov 10, 2022

--

Welcome to netstat vs ss usage guide on Linux which tries to teach you usage of netstat and ss commands using examples. We’ll start off this guide by defining what ss and netstat commands are, what they are used for, and demonstrate how they are used for network analysis and troubleshooting using examples.

What’s netstat?

Netstat is a command-line network utility used to display network connections for the TCP/UDP, network protocol statistics, interface statistics, routing tables, masquerade connections, multicast memberships e.t.c. netstat program is obsolete and its replacement is ss. Some netstat commands have been replaced by ss commands, for example:

$ netstat -r   replaced by   $ ip route

$ netstat -i replaced by $ ip -s lin

$ netstat -g replaced by $ ip maddr.

What is ss?

ss is a utility used to investigate sockets in Linux and Unix systems. It shows information similar to netstat and able to dump socket statistics. ss command can display more than TCP and state information as compared to other tools. By default, ss displays a list of open non-listening sockets (e.g. TCP/UNIX/UDP) that have established a connection.

netstat vs ss usage guide on Linux with examples:

From this section, we’ll look at examples of ss and netstat command line tools used in Linux and Unix systems. On all latest distributions, these commands should be readily available and you can invoke them by typing the commands on the terminal. If your distribution doesn’t ship with any of the tools, consult its documentation on how to install them.

The following is command line usage of netstat command. You can later look at ss command usage and do a comparison, you’ll then decide which tool works best for you. Just note that netstat will be phased out soon since its deprecated, so you’re advised to learn using ss command.

netstat usage:

Common command line options used with netstat command are:

-l, –listening display listening server sockets
-a, –all display all sockets (default: connected)
-r, –route display routing table
i, –interfaces display interface table
-g, –groups display multicast group memberships
-s, –statistics display networking statistics (like SNMP)
-M, –masquerade display masqueraded connections
-v, –verbose be verbose
-W, –wide don’t truncate IP addresses
-n, –numeric don’t resolve names
-e, –extend display other/more information
-p, –programs display PID/Program name for sockets
-o, –timers display timers
-F, –fib display Forwarding Information Base (default)
-C, –cache display routing cache instead of FIB

Usage Examples:

Display all sockets ( default: connected)

To get a list of all active connections from different protocols on your system, run:

$ netstat -a

List all UDP ports

$ netstat -au

List all TCP ports:

$ netstat -at

List all listening ports:

$ netstat -l

List all listening tcp ports:

$ netstat -lt

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN

tcp 0 0 localhost.localdo:18083 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:37959 0.0.0.0:* LISTEN

tcp 0 0 localhost.locald:mshvlm 0.0.0.0:* LISTEN

List all listening udp ports:

To list listening udp ports, use the option -lu

$ netstat -lu

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

udp 0 0 0.0.0.0:52179 0.0.0.0:*

udp 0 0 0.0.0.0:mountd 0.0.0.0:*

udp 0 0 dev.jmtai.com:bootpc 0.0.0.0:*

udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*

....

Display kernel routing table

Option -r is used to view kernel routing table.

$ netstat -r

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

default _gateway 0.0.0.0 UG 0 0 0 tun0

default _gateway 0.0.0.0 UG 0 0 0 wlp1s0

10.10.46.0 _gateway 255.255.255.0 UG 0 0 0 tun0

10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

See which process is listening on a specific port:

Format is: netstat -pln | grep | awk ‘print $NF’. As an example to see which process is listening on port 22:

$ sudo netstat -pln | grep 22 | awk 'print $NF'

7885/sshd

To confirm this, check from ps command.

$ ps aux | grep 7885

root 7885 0.0 0.0 40692 5452 ? Ss 18:54 0:00 /usr/bin/sshd -D

Display only IPv4 listening ports (TCP and UDP)

Netstat by default gives you a list of both IPv4 and IPv6 listening port list. To get a list of only IPv4, use:

$ sudo netstat -vutlnp --listening -4

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7885/sshd

tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:18083 0.0.0.0:* LISTEN 429/vboxwebsrv

tcp 0 0 0.0.0.0:37959 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 678/mpd

tcp 0 0 0.0.0.0:49743 0.0.0.0:* LISTEN 422/rpc.statd

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/init

...

Display network statics of all interfaces

Interface stats can be viewed using the command option -s.

$ sudo netstat -s

To display tcp stats use -st, for udp use -su

Display multicast group membership for both IPv4 and IPv6

Multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. To get a multicast group membership use the option -g

$ sudo netstat -g

IPv6/IPv4 Group Memberships

Interface RefCnt Group

--------------- ------ ---------------------

lo 1 all-systems.mcast.net

wlp1s0 1 224.0.0.251

wlp1s0 1 all-systems.mcast.net

tun0 1 224.0.0.251

tun0 1 all-systems.mcast.net

lo 1 ff02::1

lo 1 ff01::1

wlp1s0 1 ff02::fb

wlp1s0 1 ff02::1:ff48:91f8

wlp1s0 1 ff02::1

wlp1s0 1 ff01::1

tun0 1 ff02::fb

tun0 1 ff02::1

tun0 1 ff01::1

List all listening UNIX ports

$ sudo netstat -lx

Active UNIX domain sockets (only servers)

Proto RefCnt Flags Type State I-Node Path

unix 2 [ ACC ] STREAM LISTENING 21766 /tmp/.X11-unix/X0

unix 2 [ ACC ] STREAM LISTENING 276493 /run/user/1000/pulse/cli

unix 2 [ ACC ] STREAM LISTENING 21789 /run/user/1000/i3/ipc-socket.644

unix 2 [ ACC ] STREAM LISTENING 49182 /tmp/qtsingleapp-HipCha-9b70-3e8

unix 2 [ ACC ] STREAM LISTENING 21765 @/tmp/.X11-unix/X0

unix 2 [ ACC ] STREAM LISTENING 18468 /run/gssproxy.sock

unix 2 [ ACC ] STREAM LISTENING 2609 /run/systemd/private

unix 2 [ ACC ] STREAM LISTENING 2620 /run/rpcbind.sock

...

Find port used by a running process

$ sudo netstat -ap | grep ssh

tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 7885/sshd

tcp6 0 0 [::]:ssh [::]:* LISTEN 7885/sshd

Display Domain names where possible for IP address:

$ netstat -ltF

This command will list listening tcp ports but show domain names on the output.

Display output in continuous mode

Use –c option to have the output display continuously by refreshing every five seconds.

$ netstat -ac 5

ss usage:

This section covers ss command usage with examples. The commands might miss some of your favorites so feel free to drop a comment for any addition. ss command gets all of its data from the kernel namespace hence can get more data as compared to netstat.

Common options used with ss command are:

–n, –numeric don’t resolve service names
-r, –resolve : resolve host hostnames.
-l, –listening display listening sockets
-o, –options show timer information
-e, –extended show detailed socket information
-m, –memory show socket memory usage
-p, –processes show process using socket
s, –summary show socket usage summary
-N, –net switch to the specified network namespace name
-4, –ipv4 display only IP version 4 sockets
-6, –ipv6 display only IP version 6 sockets
0, –packet display PACKET sockets
-t, –tcp display only TCP sockets
-S, –sctp display only SCTP sockets
-u, –udp display only UDP sockets
-w, –raw display only RAW sockets
-x, –unix display only Unix domain sockets
-f, –family=FAMILY display sockets of type FAMILY

Examples;

List all connections

To list all connections, just execute ss command without any option passed to it.

# ss

Show all listing tcp sockets including the corresponding process

The option used is -lt as described on options list shown previously.

# ss -tlp
ss_vs_netstat

Show all sockets connecting to 192.168.1.10 on port 443

# ss -t dst 192.168.1.10:443

Show all ssh related connection

# ss -t state established '( dport = :ssh or sport = :ssh )'

Recv-Q Send-Q Local Address:Port Peer Address:Port

0 0 192.168.0.16:60334 192.168.20.3:ssh

List tcp and udp ports with no hostname resolution

# ss -tun

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

tcp ESTAB 0 0 192.168.0.16:41464 216.58.223.74:443

tcp ESTAB 0 0 192.168.0.16:57354 5.160.200.106:80

tcp ESTAB 0 0 192.168.0.16:60334 88.198.68.148:22

....

Print process which owns the connection

# ss -ltp

State Recv-Q Send-Q Local Address:Port Peer Address:Port

LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:(("sshd",pid=7885,fd=3))

LISTEN 0 64 0.0.0.0:shilp 0.0.0.0:*

LISTEN 0 100 127.0.0.1:18083 0.0.0.0:* users:(("vboxwebsrv",pid=429,fd=9))

...

Show socket usage summary

Pass -s option to get a list of socket related stats, -t and -u can be used to show only tcp or udp stats respectively. The default will show both.

# ss -s

Total: 818 (kernel 946)

TCP: 65 (estab 42, closed 3, orphaned 4, synrecv 0, timewait 1/0), ports 0



Transport Total IP IPv6

* 946 - -

RAW 1 0 1

UDP 14 8 6

TCP 62 56 6

INET 77 64 13

FRAG 0 0 0

Show timer information

Timer information can be obtained using -o option.

# ss -tn -o

Display only raw packets

Use -w command option,

# ss -w

Recv-Q Send-Q Local Address:Port Peer Address:Port

0 0 *:ipv6-icmp *:*

That’s the end of netstat vs ss usage guide on Linux, we’ll keep updating the list so follow us on twitter and facebook to get latest updates.

https://www.computingpost.com/netstat-vs-ss-usage-guide-on-linux/?feed_id=18250&_unique_id=636ce8bac6c35

--

--

ComputingPost
ComputingPost

Written by ComputingPost

ComputingPost — Linux Howtos, Tutorials, Guides, News, Tips and Tricks.

No responses yet