Netstat/SS
Netstat vs. ss
netstat
gets its information from /proc/net
directly. It parses the file and prints out information based on it.
ss
was written more recently to use the netlink
API (it will fall back to proc/net
if netlink is unavailable). The information in both systems is essentially the same (from what I've seen), but here are some arguments for why to use ss
It's faster (I just read that a lot, I don't find
netstat
to be noticeably slower)Netlink exposes more TCP states (again I mostly look for
LISTEN
so that's not a huge selling point)It has better default argument
The default arguments is a little more compelling. netstat
by default will try to resolve IP addresses through DNS which really slows it down. It also opens a bunch of new UDP sockets, which might clutter the picture if you're investigating something. netstat -n
stops this behavior, but ss
has that on by default (you can use ss -r
if you do want the resolution).
time ss -nltp
real 0m0.129s
user 0m0.029s
sys 0m0.097s
time netstat -nltp
real 0m0.015s
user 0m0.004s
sys 0m0.010s
Netstat
SS
Usage: ss [ OPTIONS ]
ss [ OPTIONS ] [ FILTER ]
-h, --help this message
-V, --version output version information
-n, --numeric don't resolve service names
-r, --resolve resolve host names
-a, --all display all sockets
-l, --listening display listening sockets
-o, --options show timer information
-e, --extended show detailed socket information
-m, --memory show socket memory usage
-p, --processes show process using socket
-i, --info show internal TCP information
-s, --summary show socket usage summary
-4, --ipv4 display only IP version 4 sockets
-6, --ipv6 display only IP version 6 sockets
-0, --packet display PACKET sockets
-t, --tcp display only TCP sockets
-u, --udp display only UDP sockets
-d, --dccp display only DCCP sockets
-w, --raw display only RAW sockets
-x, --unix display only Unix domain sockets
-f, --family=FAMILY display sockets of type FAMILY
-A, --query=QUERY, --socket=QUERY
QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]
-D, --diag=FILE Dump raw information about TCP sockets to FILE
-F, --filter=FILE read filter information from FILE
FILTER := [ state TCP-STATE ] [ EXPRESSION ]
Last updated
Was this helpful?