difference between netstat and ss in linux?

Question

In linux, netstat command tells us information of active sockets in system.

I understand that netstat uses /proc/net/tcp to acquire the system network information.

Since netstat man page says that netstat is obsolete, so we should use 'ss'.

NOTE
   This program is obsolete.  Replacement for netstat is ss.   Replacement
   for  netstat -r is ip route.  Replacement for netstat -i is ip -s link.
   Replacement for netstat -g is ip maddr.

I have discovered that ss performs similar functionality but it does not use /proc/net/tcp to acquire system network information.

Now I am curious how ss gets system network socket information?

score 35 · Accepted Answer · answered Aug 02 '12 at 13:22

35

It gets them from kernel space directly using Netlink which uses the classic sockets API.

answered Aug 02 '12 at 13:22

ggiroux

6,544
1
22
23

1

thank you, it would be better if there is more detailed information about how ss queries information to kernel space – daehee Aug 24 '12 at 17:59

int_ua · Answer 2 · 2020-05-19T04:24:28.287

25

I've made a comparison table (in Google Docs) (light HTML link) for converting between netstat and ss arguments. It's too big to include and update it here.

The short version of difference between short arguments is:

Arguments that require attention: r N i g M W T v C F c A U 2 f

Arguments that are safe to leave as is: h V l a n Z s p e o 4 6 x t u S w

edited May 19 '20 at 04:24

answered May 19 '20 at 03:57

int_ua

1,646
2
18
32

Fantastic! Bookmarked for later reference. – Peter Whittaker Jan 25 '23 at 16:23

score 21 · Answer 3 · edited Mar 06 '18 at 13:47

21

ss is included in iproute2 package and is the substitute of the netstat. ss is used to dump socket statistics. It shows information similar to netstat. It can display more TCP and state information than other tools. It is a new, incredibly useful and faster (compared to netstat) tool for tracking TCP connections and sockets.

edited Mar 06 '18 at 13:47

timlyo

2,086
1
23
35

answered Aug 02 '12 at 11:07

Mr.Cool

1,525
10
32
51

score 11 · Answer 4 · edited Sep 29 '20 at 10:43

11

Check out the source for ss:

https://github.com/shemminger/iproute2/blob/master/misc/ss.c

Basically it directly queries the kernel and can respond much faster than netstat.

edited Sep 29 '20 at 10:43

tgogos

23,218
20
96
128

answered Mar 19 '14 at 19:46

Mahesh Neelakanta

1,472
2
11
4

score 10 · Answer 5 · edited Dec 17 '19 at 19:00

ss is a utility used to investigate sockets in Linux and Unix systems. It shows information similar to netstat and able to dump socket statistics.

But netstat cannot be replaced full by ss. Some netstat commands correspond better to ip command.

    $ netstat -r   replaced by  $ ip route
    $ netstat -i   replaced by  $ ip -s lin
    $ netstat -g   replaced by  $ ip maddr

I would say the "older" netstat command can be replaced with both ss and ip commands.

difference between netstat and ss in linux?

5 Answers5

Linked