Has netstat Been Replaced With a New Tool?

In Linux, the users are offered many tools that are used to perform different operations across the system. A few of them are highly popular, such as the netstat command. It is commonly used to view network-related information. Since the release of Debian 9, it has been depreciated as it was not maintained. Therefore, it is now replaced by a much better, faster, and well-maintained tool called the “ss” command.

This guide explains the “ss” command, which has now replaced the netstat command in all the distributions of Linux:

  • What is the “ss” Command in Linux?
  • What are the Syntax and Options of the “ss” Command?
  • How to Use the “ss” Command in Linux?
  • How to Display all Ports Using the “ss” Command?
  • How to Display Only the Listening Ports Using the “ss” Command?
  • How to Only Display UDP Connections Using “ss” Command?
  • How to Only Display TCP Connections Using “ss” Command?
  • How to Display Processes Using the “ss” Command?

What is the “ss” Command in Linux?

The “ss” command emerged as a replacement for the famous “netstat command. It offers much more features and is faster when compared with the netstat command. The ss or Socket Statistics is used to view the network statistics. The main uses of the “ss” command include the following:

  • Diagnose and troubleshoot the network issues
  • View TCP and UDP connections
  • List IPv4 and IPv6 socket connections and much more, explained below

It comes pre-installed with the “iproute2” package in most distributions of Linux. If not, use these commands:

$ sudo apt install iproute2  #Ubuntu/Debian
$ sudo zypper install iproute2  #openSUSE
$ sudo pacman -S iproute2  #Arch Linux
$ sudo yum install iproute2 #RedHat
$ sudo dnf install iproute2  #Fedora

In the above image, it is seen that the iproute2 package is already installed.

What are the Syntax and Options of the “ss” Command?

The “ss” command is used in this way:

Syntax

ss [options]
ss [options] [ FILTER ]

To view the list of options, use this “ss –help command:

$ ss --help

Note: When the ss command is used with no options, it displays all connections.

How to Use the “ss” Command in Linux?

As per the Linux Manual Page for the “ss” command, it is quite easy to use as compared to the netstat command. Here are a few examples of how things work in the ss command:

Example 1: Display all Connections

For displaying all open non-listening connections, the “ss command is used without any options in this way:

$ ss

The output is explained as follows:

  • Netid is the connection socket (like SOCK_STREAM of the netstat).
  • State shows the state of the socket, “ESTAB” means established, “UNCONN” means unconnected, and “LISTEN” means listening.
  • Recv-Q is the number of packets received in the queue.
  • Sent-Q is the number of packets sent in the queue.
  • Local Address:Port is the address of the local port and system.
  • Peer Address:Port is the address of the remote port and system.

To view the summary of all connections, the flag “-s is used with the “ss” command in this way:

$ ss -s

The above image shows the summary statistics.

To view the count of the established socket connections, use the “ss command with the “wc -l command (displays the count) as follows:

$ ss |wc -l

In the above image, the count of established connections has been displayed as “645”.

Display IPv4 Connections Using the “ss” Command

To view the IPv4 connections, use the “ss command in this way:

$ ss -4

The above command displayed the IPv4 socket connections.

Display IPv6 Connections Using the “ss” Command

To view the IPv6 connections, use the “ss command in this way:

$ ss -6

The above command displayed the IPv6 socket connections.

How to Display all Ports Using the “ss” Command?

To view all ports (listening and non-listening), the “-a flag of the “ss command is used:

$ ss -a

The above command displayed all the ports.

How to Display Only the Listening Ports Using the “ss” Command?

To display only the listening ports, the “-l flag of the “ss” command is used this way:

$ ss -l

The above command displayed all the listening ports.

How to Only Display UDP Connections Using “ss” Command?

To view the information on only the UDP connections, the “-ua flag of the “ss command can be utilized:

$ ss -ua

The above command displayed all the UDP connections.

How to Only Display TCP Connections Using “ss” Command?

To view the information on only the TCP connections, the “-t flag of the “ss command is used in this way:

$ ss -t

The above command displayed all the TCP connections.

How to View Processes Using the “ss” Command?

To view the process IDs for the socket connections, the “-p” flag of the “ss command:

$ ss -p

The above command displayed all the Process IDs of the socket connections.

Conclusion

Yes, the old “netstat” command is replaced with a new tool called the “ss command which comes with several new features. It is much faster because it directly queries the kernel. It displays the output in a way that it is easily interpreted by humans, which can be confirmed in the above commands. Although in some cases, Netstat command is better since it is not maintained for quite a long time, it is okay to switch now.

This guide explained if the netstat is replaced with a new tool which is a yes.