Why ss Replaced netstat on Linux
The traditional netstat command reads /proc/net/tcp and related files to enumerate sockets. On systems with thousands of concurrent connections — a busy web server, for example — iterating these proc files is slow. ss bypasses proc entirely and reads socket information directly from the kernel via the netlink socket interface. On a server with 50,000 connections, ss can complete in milliseconds where netstat takes seconds.
Beyond speed, ss provides richer output. With the -i flag it shows TCP internal state: round-trip time estimates, congestion window size, retransmission timers, and more. This level of detail was never available through the traditional netstat interface.
ss is part of the iproute2 package and is installed by default on every major Linux distribution. It is not available on Windows or macOS — use netstat on those platforms.
Core Flags
The most common flags mirror netstat closely, making the transition straightforward. The key difference is that ss supports powerful state-based and expression-based filtering that netstat lacks.
| Flag | Meaning |
|---|---|
-a | All sockets (listening + established + other states) |
-t | TCP sockets only |
-u | UDP sockets only |
-l | Listening sockets only |
-n | Numeric — do not resolve hostnames or port names |
-p | Show process name and PID (requires root for other users' sockets) |
-e | Extended socket information (UID, inode, cookie) |
-i | TCP internal info (RTT, cwnd, retransmit timers) |
-s | Summary statistics by socket type and state |
-4 / -6 | IPv4 only / IPv6 only |
The Most Useful Combinations
ss -tlnp is the go-to command for checking what is listening on your system. It shows TCP listening sockets, suppresses name resolution, and includes the process.
$ sudo ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=892,fd=3))
LISTEN 0 128 127.0.0.1:3306 0.0.0.0:* users:(("mysqld",pid=1204,fd=21))
LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=1876,fd=8))The users: column shows the process name, PID, and file descriptor number. Run with sudo to see processes owned by other users — without it, the users column will be empty for sockets not owned by your current user.
To see all established TCP connections: ss -tn state established. To see connections to a specific remote host: ss -tn dst 8.8.8.8. To filter by local port: ss -tnlp sport = :443.
State-Based Filtering
One of ss's most powerful features is the ability to filter by TCP state directly. The syntax is ss state [statename]. Common states include established, listening, time-wait, close-wait, and fin-wait-1. You can also use the meta-state connected (all non-listening, non-closed states) or bucket (TIME-WAIT and SYN-RECV, which are maintained in a separate hash bucket structure in the kernel).
To count all TIME-WAIT connections — useful for diagnosing connection-table exhaustion on a high-traffic server:
ss -tan state time-wait | wc -lTCP Internals with -i
Adding the -i flag to an established-connection query reveals the TCP internals that make ss uniquely useful for performance diagnosis:
ss -tin dst 192.168.1.100
cubic wscale:7,7 rto:204 rtt:3.5/0.75 ato:40 mss:1448 pmtu:1500 rcvmss:1448
rcvbuf:131072 sndbuf:87040 cwnd:10 ssthresh:10 bytes_sent:45120 retrans:0/0The rtt field shows the current round-trip time estimate for that connection. cwnd is the congestion window — how many packets the sender can have in flight at once. retrans counts retransmissions. These values help diagnose whether a slow transfer is a bandwidth problem, a latency problem, or a retransmission problem.
Summary Statistics
ss -s prints a high-level summary of all sockets on the system, broken down by type. This is useful as a first check before drilling into individual connections:
Total: 312
TCP: 48 (estab 31, closed 4, orphaned 0, timewait 4)
Transport Total IP IPv6
RAW 0 0 0
UDP 6 4 2
TCP 44 38 6
INET 50 42 8Frequently Asked Questions
Is ss available on all Linux distributions?
Yes. ss is part of the iproute2 package, which ships as a default component of every major Linux distribution. It is not available on Windows or macOS — those systems use netstat as the equivalent tool.
How do I show only listening TCP ports with ss?
Run sudo ss -tlnp: -t for TCP, -l for listening only, -n for numeric output, and -p for process names. The sudo is needed to see process names for ports owned by other users.
How do I find what process owns a socket in ss?
Use the -p flag. The output shows a users: column with the process name, PID, and file descriptor. For example: users:(("nginx",pid=1876,fd=8)). Run as root to see process information for sockets owned by system services.
What is the difference between ss and netstat output format?
ss uses "Netid" instead of "Proto" and shows Recv-Q and Send-Q as actual kernel queue sizes. With the -i flag ss reveals TCP internals like RTT and congestion window that netstat cannot show. The column layout is slightly different, but the core information is the same for the common use cases.
How do I filter ss output by port?
Use sport (source/local) or dport (destination/remote) expressions: ss -tnp sport = :443 shows sockets on local port 443. Combine with boolean operators: ss -tn sport = :80 or sport = :443. Use ss -tn dst 1.2.3.4 to filter by remote IP.
How do I show a summary of socket statistics with ss?
Run ss -s for a compact summary of all sockets broken down by type (TCP, UDP, RAW) and TCP state (established, time-wait, orphaned, etc.). This is the fastest way to assess overall socket activity without scrolling through individual entries.