Saturday, January 4, 2025
Google search engine
HomeGuest Blogsnetstat vs ss usage guide on Linux

netstat vs ss usage guide on Linux

Welcome to netstat vs ss usage guide on Linux which tries to teach you usage of netstat and ss commands using examples. We’ll start off this guide by defining what ss and netstat commands are, what they are used for, and demonstrate how they are used for network analysis and troubleshooting using examples.

What’s netstat?

Netstat is a command-line network utility used to display network connections for the TCP/UDP,  network protocol statistics, interface statistics, routing tables, masquerade connections, multicast memberships e.t.c. netstat program is obsolete and its replacement is ss. Some netstat commands have been replaced by ss commands, for example:

$ netstat -r   replaced by   $ ip route
$ netstat -i   replaced by   $ ip -s lin
$ netstat -g   replaced by   $ ip maddr.

What is ss?

ss is a utility used to investigate sockets in Linux and Unix systems. It shows information similar to netstat and able to dump socket statistics. ss command can display more than TCP and state information as compared to other tools. By default, ss displays a list of open non-listening sockets (e.g. TCP/UNIX/UDP) that have established a connection.

netstat vs ss usage guide on Linux with examples:

From this section, we’ll look at examples of ss and netstat command line tools used in Linux and Unix systems. On all latest distributions, these commands should be readily available and you can invoke them by typing the commands on the terminal. If your distribution doesn’t ship with any of the tools, consult its documentation on how to install them.

The following is command line usage of netstat command. You can later look at ss command usage and do a comparison, you’ll then decide which tool works best for you. Just note that netstat will be phased out soon since its deprecated, so you’re advised to learn using ss command.

netstat usage:

Common command line options used with netstat command are:

-l, –listening display listening server sockets
-a, –all display all sockets (default: connected)
-r, –route display routing table
i, –interfaces display interface table
-g, –groups display multicast group memberships
-s, –statistics display networking statistics (like SNMP)
-M, –masquerade display masqueraded connections
-v, –verbose be verbose
-W, –wide don’t truncate IP addresses
-n, –numeric don’t resolve names
-e, –extend display other/more information
-p, –programs display PID/Program name for sockets
-o, –timers display timers
-F, –fib display Forwarding Information Base (default)
-C, –cache display routing cache instead of FIB

Usage Examples:

Display all sockets ( default: connected)

To get a list of all active connections from different protocols on your system, run:

$ netstat -a

List all UDP ports

$ netstat -au

List all TCP ports:

$ netstat -at

List all listening ports:

$ netstat -l

List all listening tcp ports:

$ netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN 
tcp 0 0 localhost.localdo:18083 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:37959 0.0.0.0:* LISTEN 
tcp 0 0 localhost.locald:mshvlm 0.0.0.0:* LISTEN 

List all listening udp ports:

To list listening udp ports, use the option -lu

$ netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
udp 0 0 0.0.0.0:52179 0.0.0.0:* 
udp 0 0 0.0.0.0:mountd 0.0.0.0:* 
udp 0 0 dev.jmtai.com:bootpc 0.0.0.0:* 
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:* 
 ....

Display kernel routing table

Option -r is used to view kernel routing table.

$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 tun0
default _gateway 0.0.0.0 UG 0 0 0 wlp1s0
10.10.46.0 _gateway 255.255.255.0 UG 0 0 0 tun0
10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

See which process is listening on a specific port:

Format is: netstat -pln | grep <port> | awk ‘{print $NF}’. As an example to see which process is listening on port 22:

$ sudo netstat -pln | grep 22 | awk '{print $NF}'
7885/sshd

To confirm this, check from ps command.

$ ps aux | grep 7885
root 7885 0.0 0.0 40692 5452 ? Ss 18:54 0:00 /usr/bin/sshd -D

Display only IPv4 listening ports (TCP and UDP)

Netstat by default gives you a list of both IPv4 and IPv6 listening port list. To get a list of only IPv4, use:

$ sudo netstat -vutlnp --listening -4
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7885/sshd 
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - 
tcp 0 0 127.0.0.1:18083 0.0.0.0:* LISTEN 429/vboxwebsrv 
tcp 0 0 0.0.0.0:37959 0.0.0.0:* LISTEN - 
tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 678/mpd 
tcp 0 0 0.0.0.0:49743 0.0.0.0:* LISTEN 422/rpc.statd 
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/init 
...

Display network statics of all interfaces

Interface stats can be viewed using the command option -s.

sudo netstat -s

To display tcp stats use -st, for udp use -su

Display multicast group membership for both  IPv4 and IPv6

Multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. To get a multicast group membership use the option -g

sudo netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
wlp1s0 1 224.0.0.251
wlp1s0 1 all-systems.mcast.net
tun0 1 224.0.0.251
tun0 1 all-systems.mcast.net
lo 1 ff02::1
lo 1 ff01::1
wlp1s0 1 ff02::fb
wlp1s0 1 ff02::1:ff48:91f8
wlp1s0 1 ff02::1
wlp1s0 1 ff01::1
tun0 1 ff02::fb
tun0 1 ff02::1
tun0 1 ff01::1

List all listening UNIX ports

$ sudo netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 21766 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 276493 /run/user/1000/pulse/cli
unix 2 [ ACC ] STREAM LISTENING 21789 /run/user/1000/i3/ipc-socket.644
unix 2 [ ACC ] STREAM LISTENING 49182 /tmp/qtsingleapp-HipCha-9b70-3e8
unix 2 [ ACC ] STREAM LISTENING 21765 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 18468 /run/gssproxy.sock
unix 2 [ ACC ] STREAM LISTENING 2609 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 2620 /run/rpcbind.sock
...

Find port used by a running process

$ sudo netstat -ap | grep ssh
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 7885/sshd 
tcp6 0 0 [::]:ssh [::]:* LISTEN 7885/sshd

Display Domain names where possible for IP address:

netstat -ltF

This command will list listening tcp ports but show domain names on the output.

Display output in continuous mode

Use –option to have the output display continuously by refreshing every five seconds.

netstat -ac 5

If you Love what we do, support us by downloading this tutorial as pdf from the link below:

ss usage:

This section covers ss command usage with examples. The commands might miss some of your favorites so feel free to drop a comment for any addition. ss command gets all of its data from the kernel namespace hence can get more data as compared to netstat.

 Common options used with ss command are:

n, –numeric don’t resolve service names
-r, –resolve : resolve host hostnames.
-l, –listening display listening sockets
-o, –options show timer information
-e, –extended show detailed socket information
-m, –memory show socket memory usage
-p, –processes show process using socket
s, –summary show socket usage summary
-N, –net switch to the specified network namespace name
-4, –ipv4 display only IP version 4 sockets
-6, –ipv6 display only IP version 6 sockets
0, –packet display PACKET sockets
-t, –tcp display only TCP sockets
-S, –sctp display only SCTP sockets
-u, –udp display only UDP sockets
-w, –raw display only RAW sockets
-x, –unix display only Unix domain sockets
-f, –family=FAMILY display sockets of type FAMILY

Examples;

List all connections

To list all connections, just execute ss command without any option passed to it.

# ss

Show all listing tcp sockets including the corresponding process

The option used is -lt as described on options list shown previously.

# ss -tlp
netstat vs ss usage guide on Linux

Show all sockets connecting to 192.168.1.10 on port 443

# ss -t dst 192.168.1.10:443

Show all ssh related connection

ss -t state established '( dport = :ssh or sport = :ssh )'
Recv-Q Send-Q Local Address:Port Peer Address:Port 
0 0 192.168.0.16:60334 192.168.20.3:ssh

List tcp and udp ports with no hostname resolution

# ss -tun
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port 
tcp ESTAB 0 0 192.168.0.16:41464 216.58.223.74:443 
tcp ESTAB 0 0 192.168.0.16:57354 5.160.200.106:80 
tcp ESTAB 0 0 192.168.0.16:60334 88.198.68.148:22 
....

Print process which owns the connection

# ss -ltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port 
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:(("sshd",pid=7885,fd=3))
LISTEN 0 64 0.0.0.0:shilp 0.0.0.0:* 
LISTEN 0 100 127.0.0.1:18083 0.0.0.0:* users:(("vboxwebsrv",pid=429,fd=9))
...

Show socket usage summary

Pass -s option to get a list of socket related stats, -t and -u can be used to show only tcp or udp stats respectively. The default will show both.

# ss -s
Total: 818 (kernel 946)
TCP: 65 (estab 42, closed 3, orphaned 4, synrecv 0, timewait 1/0), ports 0

Transport Total IP IPv6
* 946 - - 
RAW 1 0 1 
UDP 14 8 6 
TCP 62 56 6 
INET 77 64 13 
FRAG 0 0 0

Show timer information

Timer information can be obtained using -o option.

# ss -tn -o

Display only raw packets

Use -w command option,

# ss -w
Recv-Q Send-Q Local Address:Port Peer Address:Port 
0 0 *:ipv6-icmp *:*

That’s the end of netstat vs ss usage guide on Linux, we’ll keep updating the list so follow us on twitter and facebook to get latest updates. Support us by downloading this guide as pdf using the link below.

RELATED ARTICLES

Most Popular

Recent Comments