cloudqubes

Content outline

Feb 13, 2020
2 Min read

netstat is obsolete - use ss

netstat has been a valuable tool for Linux sysadmins for a long time. Now there is a better option.

If you are still using netstat this is news for you. There is a better alternative; ss. According to the documentation of ss, it can display more socket information than other tools.

The following commands were executed on Ubuntu 18.04 with ss version ss180129. Depending on your version, output parameters may slightly vary.

Given no arguments, ss comaand will list all TCP, UDP, and Unix sockets, that are in established state.

ss

Option a is used to print all sockets, in all states.

ss -a

List only TCP sockets, in established state.

ss -t

List all TCP sockets, in all states.

ss -ta

Display additional information on TCP sockets.

ss -ti

The output of ss -ti include almost all the paraemters related to TCP stack, so wil be invaluable in troubleshooting network issues.

ss -ti
State               Recv-Q                Send-Q                                  Local Address:Port                                  Peer Address:Port                 
ESTAB               0                     64                                     10.199.254.220:ssh                                  172.20.10.10:51131
         cubic wscale:8,7 rto:248 rtt:45.193/25.671 ato:40 mss:1410 pmtu:1450 rcvmss:1168 advmss:1410 cwnd:10 bytes_acked:63569 bytes_received:5724 segs_out:155 segs_in:144 data_segs_out:150 data_segs_in:62 send 2.5Mbps lastrcv:4 lastack:4 pacing_rate 5.0Mbps delivery_rate 6.3Mbps app_limited busy:5128ms unacked:1 retrans:0/2 rcv_space:28200 rcv_ssthresh:45036 minrtt:44.417
ESTAB               0                     0                                      10.199.254.220:ssh                                  172.20.10.10:63611
         cubic wscale:8,7 rto:232 rtt:31.616/10.127 ato:40 mss:1410 pmtu:1450 rcvmss:1168 advmss:1410 cwnd:18 ssthresh:20 bytes_acked:180817 bytes_received:41516 segs_out:731 segs_in:813 data_segs_out:724 data_segs_in:587 send 6.4Mbps lastsnd:4713788 lastrcv:4713872 lastack:4713788 pacing_rate 7.7Mbps delivery_rate 49.7Mbps busy:19220ms rcv_rtt:430578 rcv_space:28332 rcv_ssthresh:73068 minrtt:1.185

Filtering can be applied based on socket status. The command takes the form ss [options] state <tcp-state>.

List all TCP listening ports.

ss -ta state listening

List all TCP ports in SYN-SENT status.

ss -ta state syn-sent

Filtering can also be done based IP address.

ss -tai dst 10.199.254.82

Or, based on source, dstination ports.

ss -t '( sport = :ssh )'

These filters can be combined to get a more fine grained output. Below command will list the TCP sockets in established state to port 22 with peer IP 172.16.10.10.

ss -t '( sport = :ssh )' dst 172.16.10.10

As you may appreciate ss has advanced filtering capabilities and provides more information than netstat. So, next time when you are investigating any network related things, rememeber to use ss instead of netstat.