It gets them from kernel space directly using Netlink which uses the classic sockets API.
Answer from ggiroux on Stack Overflow Top answer 1 of 5
42
It gets them from kernel space directly using Netlink which uses the classic sockets API.
2 of 5
37
I've made a comparison table (in Google Docs) (light HTML link) for converting between netstat and ss arguments. It's too big to include and update it here.
The short version of difference between short arguments is:
Arguments that require attention:
r N i g M W T v C F c A U 2 f
Arguments that are safe to leave as is:
h V l a n Z s p e o 4 6 x t u S w
Reddit
reddit.com › r/commandline › netstat vs ss (socket statistics)
r/commandline on Reddit: Netstat vs ss (socket statistics)
August 18, 2023 -
The manual for Netstat says it's obsolete and that I should use ss instead, but I like Netstat's more compact and easy-to-read interface better than ss's wide and spread-out display.
Is there anything wrong with Netstat compared to ss? Which one do you use?
Top answer 1 of 2
10
manual for Netstat says it's obsolete and that I should use ss instead Yup, true that. anything wrong with Netstat compared to ss Oh hell yeah. ss is far superior. E.g. let's say you want to know what PID(s) are associated with what (if anything) is listening on TCP port 22: # ss -nltp sport = :22 State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=852,fd=3)) LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=852,fd=4)) # That's highly fast and efficient, as the filtering happens in kernel. Now, compare that to wanting to do same with netstat - you'd need to run a netstat command that gets a lot more information than just for TCP port 22 - that alone can be exceedingly slow on a heavily loaded system - possibly taking minutes or more to return results - whereas even under comparable load that ss command will be much faster and probably complete in mere seconds or less. But with the netstat command to get just port 22 TCP results, then you'll need to filter it with grep or awk or sed or the like - and if you don't get it exactly right (more complex) you may get false positives - e.g. other stuff that matches, say string :22 other than only and exactly in the relevant field/position. ss is much more versatile than just that example, but that's just one example of how one can very quickly and efficiently get precisely the needed information from ss. Very similar in efficiency (and ease of correct accuracy) in filtering, e.g. by IPs, protocol(s), state, etc., and also many options to control output formatting, etc. Also, for non-ancient *nix operating systems, ss will generally be included / installed by default, whereas netstat may not be.
2 of 2
2
If you are using ss, use it with a pager like more or less. Running it by itself is a mess for readability.
Videos
02:52
How to Use SS to Monitor Listening Ports on Your System - YouTube
12:32
Linux Networking Tools: Ping, Traceroute, Netstat, and ss Explained ...
SS | Analyse Network Statistics in Linux
00:41
"netstat" is deprecated! Use "ss" command instead #linux - YouTube
01:38
How to use the netstat-s command - YouTube
Linux Foundation
training.linuxfoundation.org › home › tutorials › an introduction to the ss command
An Introduction to the ss Command - Linux Foundation - Education
November 22, 2023 - The ss command is a tool used to dump socket statistics and displays information in similar fashion (although simpler and faster) to netstat. The ss command can also display even more TCP and state information than most other tools.
TecAdmin
tecadmin.net › comparison-between-ss-vs-netstat-commands
A Comparison Between ss vs netstat Commands – TecAdmin
April 26, 2025 - Both the ss and netstat commands have their own strengths and weaknesses. ss is faster and provides more detailed information, making it the preferred choice for network analysis and troubleshooting in Linux.
Top answer 1 of 2
4
I've made a comparison table (in Google Docs) (light HTML link) for converting between netstat and ss arguments. It's too big to include and update it here.
The short version of difference between short arguments is:
Arguments that require attention:
r N i g M W T v C F c A U 2 f
Arguments that are safe to leave as is:
h V l a n Z s p e o 4 6 x t u S w
2 of 2
0
I stumbled across this post while researching netstat -> ss conversion. Outstanding table but I wanted to point out one thing in particular... the man page description for the netstat -s command option states, "Display summary statistics for each protocol". ss -s option in the man page states, "Print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful." These two command options return EXTIRELY different information.
For example:
$ ss -s
Total: 1365 (kernel 0)
TCP: 276 (estab 163, closed 14, orphaned 0, synrecv 0, timewait 1/0), ports 0
Transport Total IP IPv6
* 0 - -
RAW 1 1 0
UDP 24 17 7
TCP 262 246 16
INET 287 264 23
FRAG 0 0 0
as opposed to the netstat -s command output (truncated):
$ netstat -s | head -n15
Ip:
2043673568 total packets received
0 forwarded
0 incoming packets discarded
1997519606 incoming packets delivered
1359233819 requests sent out
53 dropped because of missing route
22 reassemblies required
11 packets reassembled ok
Icmp:
38023 ICMP messages received
7619 input ICMP message failed.
ICMP input histogram:
destination unreachable: 23947
timeout in transit: 129
I don't know if the upstream developers of ss intend on expanding the available output from the command, but near as I can tell... ss doesn't offer anything equivalent to the netstat -s statistics.
/ SenseiC bows out
Medium
medium.com › itversity › understanding-socket-connections-with-netstat-and-ss-00cde8e9454c
Understanding Socket Connections with netstat and ss | by Chaitanya Varma Manthena | itversity | Medium
November 6, 2024 - For example, if you notice a large ... (Denial of Service) attack or experiencing a connection flood. ss (Socket Statistics) is a modern replacement for netstat, designed to be faster and more efficient, especially on large systems ...
InterServer
interserver.net › home › linux › how to use netstat and ss to monitor network connections and ports
How to Use netstat and ss to Monitor Network Connections and Ports - Interserver Tips
November 6, 2025 - Mastering netstat and ss gives you powerful visibility into your Linux system’s network activity. While netstat remains familiar, ss is the tool of choice for speed and advanced filtering. Both utilities help you pinpoint open ports, investigate suspicious connections, troubleshoot network ...
Linux Audit
linux-audit.com › linux audit › cheat sheets › ss
ss cheat sheet - Linux Audit
March 12, 2025 - Ss is the name of the tool that is replacing the netstat command. It is short for socket statistics and a great utility to show information about sockets on Linux systems. It can be used to show which TCP/UDP ports are opened or what services ...
Red Hat
redhat.com › en › blog › ss-command
Linux tools: How to use the ss command
January 13, 2020 - In fact, there is one significant ss bummer. You can try this one for yourself to compare the two: $ netstat -s Ip: Forwarding: 2 6231 total packets received 2 with invalid addresses 0 forwarded 0 incoming packets discarded 3104 incoming packets delivered 2011 requests sent out 243 dropped because of missing route <truncated> $ ss -s Total: 182 TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0) Transport Total IP IPv6 RAW 1 0 1 UDP 3 2 1 TCP 3 2 1 INET 7 4 3 FRAG 0 0 0
Linux Audit
linux-audit.com › linux audit › alternative for netstat: ss tool
Alternative for netstat: ss tool - Linux Audit
March 12, 2025 - Socket statistics, or ss for short, is an easy replacement command for netstat.
Net7
net7.be › blog › article › network_activity_analysis_1_netstat.html
Net7 - Blog - Analysing network activity #1 - netstat, ss and lsof
March 29, 2021 - On Windows the feature to have ... every 1 second. The ss command shows socket information, pretty much like netstat does, with the key difference that it doesn't read /proc/net/* special files and uses a "newer" (it's actually very old) kernel API instead....
phoenixNAP
phoenixnap.com › home › kb › sysadmin › how to use linux ss command
How To Use Linux SS Command
January 27, 2025 - The ss (socket statistics) tool is a CLI command used to show network statistics. The ss command is a simpler and faster version of the now obsolete netstat command.
Linux.org
linux.org › home › forums › linux.org news, tutorials and articles › linux original content › linux articles › linux networking
Using ss instead of netstat to investigate sockets | Linux.org
November 5, 2018 - NOTE This program is obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.
Top answer 1 of 3
54
the netstat command has been deprecated in favor of the faster, more human-readable ss command. See recommendations from RHEL 7, Debian, and Arch Linux regarding the deprecation of net-tools, including netstat, with iproute alternatives, specifically ss.
The ss command is a tool used to dump socket statistics and displays information in similar fashion (although simpler and faster) to netstat.
$ ss
is replacing netstat. You can use it like this:
$ ss -aunp | grep radi
2 of 3
29
I use "show sockets":
sudo ss -ltpn
This command also shows the associated processes:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=844,fd=8))
LISTEN 0 100 0.0.0.0:8080 0.0.0.0:* users:(("java",pid=1554,fd=60))
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=1048,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1891,fd=3))
LISTEN 0 1 127.0.0.1:8005 0.0.0.0:* users:(("java",pid=1554,fd=76))
Swap -t with -u for UDP instead of TCP.
In the beginning I always used -ltpan, but sometimes that shows a bit much.
ss -h (help on Ubuntu 18.04):
Usage: ss [ OPTIONS ]
ss [ OPTIONS ] [ FILTER ]
-h, --help this message
-V, --version output version information
-n, --numeric don't resolve service names
-r, --resolve resolve host names
-a, --all display all sockets
-l, --listening display listening sockets
-o, --options show timer information
-e, --extended show detailed socket information
-m, --memory show socket memory usage
-p, --processes show process using socket
-i, --info show internal TCP information
-s, --summary show socket usage summary
-b, --bpf show bpf filter socket information
-E, --events continually display sockets as they are destroyed
-Z, --context display process SELinux security contexts
-z, --contexts display process and socket SELinux security contexts
-N, --net switch to the specified network namespace name
-4, --ipv4 display only IP version 4 sockets
-6, --ipv6 display only IP version 6 sockets
-0, --packet display PACKET sockets
-t, --tcp display only TCP sockets
-S, --sctp display only SCTP sockets
-u, --udp display only UDP sockets
-d, --dccp display only DCCP sockets
-w, --raw display only RAW sockets
-x, --unix display only Unix domain sockets
--vsock display only vsock sockets
-f, --family=FAMILY display sockets of type FAMILY
FAMILY := {inet|inet6|link|unix|netlink|vsock|help}
-K, --kill forcibly close sockets, display what was closed
-H, --no-header Suppress header line
-A, --query=QUERY, --socket=QUERY
QUERY := {all|inet|tcp|udp|raw|unix|unix_dgram|unix_stream|unix_seqpacket|packet|netlink|vsock_stream|vsock_dgram}[,QUERY]
-D, --diag=FILE Dump raw information about TCP sockets to FILE
-F, --filter=FILE read filter information from FILE
FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
STATE-FILTER := {all|connected|synchronized|bucket|big|TCP-STATES}
TCP-STATES := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|closed|close-wait|last-ack|listening|closing}
connected := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing}
synchronized := {established|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing}
bucket := {syn-recv|time-wait}
big := {established|syn-sent|fin-wait-{1,2}|closed|close-wait|last-ack|listening|closing}
Engineering LibreTexts
eng.libretexts.org › bookshelves › computer science › operating systems › linux - the penguin marches on (mcclanahan) › module 10: network management › 10-f.11: how to troubleshoot networking problems
10-F.11.1: Network Troubleshooting Commands - netstat / ss - Engineering LibreTexts
October 3, 2022 - The ss command is a new tool used to dump socket statistics; it displays information a bit like netstat - although ss is simpler and faster.
eUKhost
eukhost.com › home › how to use netstat and ss to check linux’s listening ports
Check Linux Listening Ports with netstat & ss
September 1, 2025 - Best Practice: Prefer ‘ss’ over ‘netstat’ for speed and accuracy, but both are useful depending on the system environment.
YouTube
youtube.com › watch
Netstat and SS Commands: Network Monitoring Tools for Beginners - YouTube
Dive into the world of network monitoring with our comprehensive guide to the `netstat` and `ss` commands! 🚀 Perfect for beginners, this video breaks down h...
Published May 4, 2025
ComputingForGeeks
computingforgeeks.com › home › cheat sheets › netstat vs ss usage guide on linux
netstat vs ss usage guide on Linux | ComputingForGeeks
August 5, 2024 - Netstat is a command-line network ... tables, masquerade connections, multicast memberships e.t.c. netstat program is obsolete and its replacement is ss....
Medium
medium.com › @kuldeepkumawat195 › comprehensive-guide-to-network-insights-netstat-and-ss-commands-0a58984f4aae
Comprehensive Guide to Network Insights: Netstat and SS Commands | by Kuldeepkumawat | Medium
October 2, 2024 - netstat (network statistics) is ... a staple tool for network administrators for many years. ss (socket statistics) is a more modern and faster alternative to netstat....