Linux tools: How to use the ss command
If you're like me, you still cling to soon-to-be-deprecated commands like ifconfig, nslookup, and netstat. The new replacements are ip, dig, and ss, respectively. It's time to (reluctantly) let go of legacy utilities and head into the future with ss. The ip command is worth a mention here because part of netstat's functionality has been replaced by ip. This article covers the essentials for the ss command so that you don't have to dig (no pun intended) for them.
Formally, ss is the socket statistics command that replaces netstat. In this article, I provide netstat commands and their ss replacements. Michale Prokop, the developer of ss, made it easy for us to transition into ss from netstat by making some of netstat's options operate in much the same fashion in ss.
For example, to display TCP sockets, use the -t option:
$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 rhel8:ssh khess-mac:62036 ESTABLISHED
$ ss -t
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.1.65:ssh 192.168.1.94:62036
You can see that the information given is essentially the same, but to better mimic what you see in the netstat command, use the -r (resolve) option:
$ ss -tr
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 rhel8:ssh khess-mac:62036
And to see port numbers rather than their translations, use the -n option:
$ ss -ntr
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 rhel8:22 khess-mac:62036
It isn't 100% necessary that netstat and ss mesh, but it does make the transition a little easier. So, try your standby netstat options before hitting the man page or the internet for answers, and you might be pleasantly surprised at the results.
For example, the netstat command with the old standby options -an yield comparable results (which are too long to show here in full):
$ netstat -an |grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 28165 /run/user/0/systemd/private
unix 2 [ ACC ] STREAM LISTENING 20942 /var/lib/sss/pipes/private/sbus-dp_implicit_files.642
unix 2 [ ACC ] STREAM LISTENING 28174 /run/user/0/bus
unix 2 [ ACC ] STREAM LISTENING 20241 /var/run/lsm/ipc/simc
<truncated>
$ ss -an |grep LISTEN
u_str LISTEN 0 128 /run/user/0/systemd/private 28165 * 0
u_str LISTEN 0 128 /var/lib/sss/pipes/private/sbus-dp_implicit_files.642 20942 * 0
u_str LISTEN 0 128 /run/user/0/bus 28174 * 0
u_str LISTEN 0 5 /var/run/lsm/ipc/simc 20241 * 0
<truncated>
The TCP entries fall at the end of the ss command's display and at the beginning of netstat's. So, there are layout differences even though the displayed information is really the same.
If you're wondering which netstat commands have been replaced by the ip command, here's one for you:
$ netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
enp0s3 1 all-systems.mcast.net
lo 1 ff02::1
lo 1 ff01::1
enp0s3 1 ff02::1:ffa6:ab3e
enp0s3 1 ff02::1:ff8d:912c
enp0s3 1 ff02::1
enp0s3 1 ff01::1
$ ip maddr
1: lo
inet 224.0.0.1
inet6 ff02::1
inet6 ff01::1
2: enp0s3
link 01:00:5e:00:00:01
link 33:33:00:00:00:01
link 33:33:ff:8d:91:2c
link 33:33:ff:a6:ab:3e
inet 224.0.0.1
inet6 ff02::1:ffa6:ab3e
inet6 ff02::1:ff8d:912c
inet6 ff02::1
inet6 ff01::1
The ss command isn't perfect (sorry, Michael). In fact, there is one significant ss bummer. You can try this one for yourself to compare the two:
$ netstat -s
Ip:
Forwarding: 2
6231 total packets received
2 with invalid addresses
0 forwarded
0 incoming packets discarded
3104 incoming packets delivered
2011 requests sent out
243 dropped because of missing route
<truncated>
$ ss -s
Total: 182
TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0)
Transport Total IP IPv6
RAW 1 0 1
UDP 3 2 1
TCP 3 2 1
INET 7 4 3
FRAG 0 0 0
If you figure out how to display the same info with ss, please let me know.
Maybe as ss evolves, it will include more features. I guess Michael or someone else could always just look at the netstat command to glean those statistics from it. For me, I prefer netstat, and I'm not sure exactly why it's being deprecated in favor of ss. The output from ss is less human-readable in almost every instance.
What do you think? What about ss makes it a better option than netstat? I suppose I could ask the same question of the other net-tools utilities as well. I don't find anything wrong with them. In my mind, unless you're significantly improving an existing utility, why bother deprecating the other?
There, you have the ss command in a nutshell. As netstat fades into oblivion, I'm sure I'll eventually embrace ss as its successor.
Want more on networking topics? Check out the Linux networking cheat sheet.
Ken Hess
Ken has used Red Hat Linux since 1996 and has written ebooks, whitepapers, actual books, thousands of exam review questions, and hundreds of articles on open source and other topics. Ken also has 20+ years of experience as an enterprise sysadmin with Unix, Linux, Windows, and Virtualization. More about me
Try Red Hat Enterprise Linux
Download it at no charge from the Red Hat Developer program.
Related Content
