ss gets them from kernel space directly using Netlink which uses the classic sockets API.
Top answer 1 of 5
42
ss gets them from kernel space directly using Netlink which uses the classic sockets API.
2 of 5
37
I've made a comparison table (in Google Docs) (light HTML link) for converting between netstat and ss arguments. It's too big to include and update it here.
The short version of difference between short arguments is:
Arguments that require attention:
r N i g M W T v C F c A U 2 f
Arguments that are safe to leave as is:
h V l a n Z s p e o 4 6 x t u S w
Reddit
reddit.com › r/commandline › netstat vs ss (socket statistics)
r/commandline on Reddit: Netstat vs ss (socket statistics)
August 18, 2023 -
The manual for Netstat says it's obsolete and that I should use ss instead, but I like Netstat's more compact and easy-to-read interface better than ss's wide and spread-out display.
Is there anything wrong with Netstat compared to ss? Which one do you use?
Top answer 1 of 2
10
manual for Netstat says it's obsolete and that I should use ss instead Yup, true that. anything wrong with Netstat compared to ss Oh hell yeah. ss is far superior. E.g. let's say you want to know what PID(s) are associated with what (if anything) is listening on TCP port 22: # ss -nltp sport = :22 State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=852,fd=3)) LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=852,fd=4)) # That's highly fast and efficient, as the filtering happens in kernel. Now, compare that to wanting to do same with netstat - you'd need to run a netstat command that gets a lot more information than just for TCP port 22 - that alone can be exceedingly slow on a heavily loaded system - possibly taking minutes or more to return results - whereas even under comparable load that ss command will be much faster and probably complete in mere seconds or less. But with the netstat command to get just port 22 TCP results, then you'll need to filter it with grep or awk or sed or the like - and if you don't get it exactly right (more complex) you may get false positives - e.g. other stuff that matches, say string :22 other than only and exactly in the relevant field/position. ss is much more versatile than just that example, but that's just one example of how one can very quickly and efficiently get precisely the needed information from ss. Very similar in efficiency (and ease of correct accuracy) in filtering, e.g. by IPs, protocol(s), state, etc., and also many options to control output formatting, etc. Also, for non-ancient *nix operating systems, ss will generally be included / installed by default, whereas netstat may not be.
2 of 2
2
If you are using ss, use it with a pager like more or less. Running it by itself is a mess for readability.
Videos
12:32
Linux Networking Tools: Ping, Traceroute, Netstat, and ss Explained ...
02:52
How to Use SS to Monitor Listening Ports on Your System - YouTube
SS | Analyse Network Statistics in Linux
00:41
"netstat" is deprecated! Use "ss" command instead #linux - YouTube
01:38
How to use the netstat-s command - YouTube
Medium
medium.com › itversity › understanding-socket-connections-with-netstat-and-ss-00cde8e9454c
Understanding Socket Connections with netstat and ss | by Chaitanya Varma Manthena | itversity | Medium
November 6, 2024 - For example, if you notice a large ... (Denial of Service) attack or experiencing a connection flood. ss (Socket Statistics) is a modern replacement for netstat, designed to be faster and more efficient, especially on large systems ...
Top answer 1 of 2
4
I've made a comparison table (in Google Docs) (light HTML link) for converting between netstat and ss arguments. It's too big to include and update it here.
The short version of difference between short arguments is:
Arguments that require attention:
r N i g M W T v C F c A U 2 f
Arguments that are safe to leave as is:
h V l a n Z s p e o 4 6 x t u S w
2 of 2
0
I stumbled across this post while researching netstat -> ss conversion. Outstanding table but I wanted to point out one thing in particular... the man page description for the netstat -s command option states, "Display summary statistics for each protocol". ss -s option in the man page states, "Print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is useful when amount of sockets is so huge that parsing /proc/net/tcp is painful." These two command options return EXTIRELY different information.
For example:
$ ss -s
Total: 1365 (kernel 0)
TCP: 276 (estab 163, closed 14, orphaned 0, synrecv 0, timewait 1/0), ports 0
Transport Total IP IPv6
* 0 - -
RAW 1 1 0
UDP 24 17 7
TCP 262 246 16
INET 287 264 23
FRAG 0 0 0
as opposed to the netstat -s command output (truncated):
$ netstat -s | head -n15
Ip:
2043673568 total packets received
0 forwarded
0 incoming packets discarded
1997519606 incoming packets delivered
1359233819 requests sent out
53 dropped because of missing route
22 reassemblies required
11 packets reassembled ok
Icmp:
38023 ICMP messages received
7619 input ICMP message failed.
ICMP input histogram:
destination unreachable: 23947
timeout in transit: 129
I don't know if the upstream developers of ss intend on expanding the available output from the command, but near as I can tell... ss doesn't offer anything equivalent to the netstat -s statistics.
/ SenseiC bows out
Linux Foundation
training.linuxfoundation.org › home › tutorials › an introduction to the ss command
An Introduction to the ss Command - Linux Foundation - Education
November 22, 2023 - The ss command is a tool used to dump socket statistics and displays information in similar fashion (although simpler and faster) to netstat. The ss command can also display even more TCP and state information than most other tools.
TecAdmin
tecadmin.net › comparison-between-ss-vs-netstat-commands
A Comparison Between ss vs netstat Commands – TecAdmin
April 26, 2025 - Both the ss and netstat commands have their own strengths and weaknesses. ss is faster and provides more detailed information, making it the preferred choice for network analysis and troubleshooting in Linux.
ComputingForGeeks
computingforgeeks.com › home › cheat sheets › netstat vs ss usage guide on linux
netstat vs ss usage guide on Linux | ComputingForGeeks
August 5, 2024 - Netstat is a command-line network ... tables, masquerade connections, multicast memberships e.t.c. netstat program is obsolete and its replacement is ss....
Red Hat
redhat.com › en › blog › ss-command
Linux tools: How to use the ss command
November 20, 2025 - In fact, there is one significant ss bummer. You can try this one for yourself to compare the two: $ netstat -s Ip: Forwarding: 2 6231 total packets received 2 with invalid addresses 0 forwarded 0 incoming packets discarded 3104 incoming packets delivered 2011 requests sent out 243 dropped because of missing route <truncated> $ ss -s Total: 182 TCP: 3 (estab 1, closed 0, orphaned 0, timewait 0) Transport Total IP IPv6 RAW 1 0 1 UDP 3 2 1 TCP 3 2 1 INET 7 4 3 FRAG 0 0 0
InterServer
interserver.net › home › linux › how to use netstat and ss to monitor network connections and ports
How to Use netstat and ss to Monitor Network Connections and Ports - Interserver Tips
November 6, 2025 - Mastering netstat and ss gives you powerful visibility into your Linux system’s network activity. While netstat remains familiar, ss is the tool of choice for speed and advanced filtering. Both utilities help you pinpoint open ports, investigate suspicious connections, troubleshoot network ...
Engineering LibreTexts
eng.libretexts.org › bookshelves › computer science › operating systems › linux - the penguin marches on (mcclanahan) › module 10: network management › 10-f.11: how to troubleshoot networking problems
10-F.11.1: Network Troubleshooting Commands - netstat / ss - Engineering LibreTexts
October 3, 2022 - The ss command is a new tool used to dump socket statistics; it displays information a bit like netstat - although ss is simpler and faster.
Net7
net7.be › blog › article › network_activity_analysis_1_netstat.html
Net7 - Blog - Analysing network activity #1 - netstat, ss and lsof
On Windows the feature to have ... every 1 second. The ss command shows socket information, pretty much like netstat does, with the key difference that it doesn't read /proc/net/* special files and uses a "newer" (it's actually very old) kernel API instead....
YouTube
youtube.com › watch
Netstat and SS Commands: Network Monitoring Tools for Beginners - YouTube
Dive into the world of network monitoring with our comprehensive guide to the `netstat` and `ss` commands! 🚀 Perfect for beginners, this video breaks down h...
Published May 4, 2025
Linux.org
linux.org › home › forums › linux.org news, tutorials and articles › linux original content › linux articles › linux networking
Using ss instead of netstat to investigate sockets | Linux.org
November 5, 2018 - NOTE This program is obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.
phoenixNAP
phoenixnap.com › home › kb › sysadmin › how to use linux ss command
How To Use Linux SS Command
January 27, 2025 - The ss (socket statistics) tool is a CLI command used to show network statistics. The ss command is a simpler and faster version of the now obsolete netstat command.
Linux Audit
linux-audit.com › linux audit › alternative for netstat: ss tool
Alternative for netstat: ss tool - Linux Audit
March 12, 2025 - Socket statistics, or ss for short, is an easy replacement command for netstat.
Paul's Blog
blog.pcarleton.com › post › netstat-vs-ss
TIL: The difference between netstat and ss | Paul's Blog
May 31, 2018 - The default arguments is a little more compelling. netstat by default will try to resolve IP addresses through DNS which really slows it down. It also opens a bunch of new UDP sockets, which might clutter the picture if you’re investigating something. netstat -n stops this behavior, but ss has that on by default (you can use ss -r if you do want the resolution).
Paul Carleton's blog
pcarleton.com › 2018 › 05 › 31 › netstat-vs-ss
TIL: The difference between netstat and ss
August 20, 2018 - The default arguments is a little more compelling. netstat by default will try to resolve IP addresses through DNS which really slows it down. It also opens a bunch of new UDP sockets, which might clutter the picture if you're investigating something. netstat -n stops this behavior, but ss has that on by default (you can use ss -r if you do want the resolution).
Medium
krishankantsinghal.medium.com › netstat-or-ss-command-what-the-heck-is-that-and-how-it-helps-us-in-getting-network-statitcs-or-dcc39fc28d57
Netstat OR SS command , What the heck is that, and how it helps us in getting Network Statitcs or fixing issues. | by krishankant singhal | Medium
November 15, 2018 - Netstat is a command-line network ... tables, masquerade connections, multicast memberships e.t.c. netstat program is obsolete now and its replacement is ss....
Linux.com
linux.com › home › topic › desktop › an introduction to the ss command
An Introduction to the ss Command - Linux.com
August 23, 2019 - The ss command is a tool used to dump socket statistics and displays information in similar fashion (although simpler and faster) to netstat. The ss command can also display even more TCP and state information than most other tools.