netstat is long obsolete and not installed by default in modern distributions. ss is its replacement from the iproute2 package, reading data directly from the kernel via Netlink sockets. This is faster and more accurate, especially on systems with thousands of connections.
Installation
On Ubuntu and Debian, ss is part of the iproute2 package which is installed by default. If for some reason it is missing:
sudo apt install iproute2
Check the version:
ss --version
Basic Output
Without flags, ss shows all non-listening connections:
ss
In practice, flags are always used.
The Most Useful Flags
Show all TCP connections:
ss -t
All UDP connections:
ss -u
All Unix sockets:
ss -x
Listening ports (waiting for incoming connections):
ss -l
Numeric addresses and ports without DNS resolution — faster:
ss -n
Show the process holding each connection:
ss -p
Flags combine. The most common combination — all listening TCP ports with process names:
ss -tlnp
All connections of all types:
ss -a
Understanding the Output
Recv-Q — bytes queued for reception. Send-Q — bytes waiting to be sent. Non-zero values at LISTEN state indicate a backlog of incomplete connections — worth watching under load.
Local Address:Port — the address the service is listening on. 0.0.0.0 means all interfaces. 127.0.0.1 means localhost only — not reachable from outside.
Filtering by Port and Address
Find what is listening on a specific port:
ss -tlnp sport = :80
All connections to a specific remote host:
ss -tn dst 192.168.1.100
Connections from a specific local address:
ss -tn src 10.0.0.1
Connections in a port range:
ss -tn sport gt :1024
Multiple conditions with and:
ss -tn dst 192.168.1.100 and sport = :443
Filtering by TCP State
Show only established connections:
ss -tn state established
Only TIME_WAIT — can accumulate after high load:
ss -tn state time-wait
Everything except established:
ss -tn exclude established
All wait states at once:
ss -tn state time-wait or state close-wait or state fin-wait-1
Full list of states: established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listening, closing.
Find a Process by Port
Find which process holds port 443:
ss -tlnp sport = :443
Or via grep:
ss -tlnp | grep :443
The output shows PID and process name in the Process column.
Protocol Statistics
Summary statistics for TCP, UDP, ICMP:
ss -s
Shows the total count of connections including TIME_WAIT and orphaned — useful when diagnosing connection leaks.
Real-Time Monitoring
ss does not update itself. For live monitoring — use watch:
watch -n 1 ss -tlnp
Updates every second. Useful for watching connection changes under load.
Counters only:
watch -n 1 ss -s
ss vs netstat: Practical Comparison
| Parameter | ss | netstat |
|---|---|---|
| Data source | Netlink (kernel) | /proc/net |
| Speed | Faster | Slower |
| Status on Ubuntu | Installed by default | Not installed |
| Package | iproute2 | net-tools |
| Filters | Built-in | grep only |
Equivalent commands for those used to netstat:
netstat -tlnp → ss -tlnp netstat -an → ss -an netstat -s → ss -s
Practical Scenarios
Check that Nginx is running and listening on 80 and 443:
ss -tlnp | grep nginx
Find all connections to MySQL (port 3306):
ss -tn dst :3306
Count active TCP connections:
ss -tn state established | wc -l
Check all connections of a specific process by PID:
ss -p | grep pid=1234
Verify a port is free before starting a service:
ss -tlnp sport = :8080
Empty output means the port is free.
Quick Reference
| Task | Command |
|---|---|
| Listening TCP ports with processes | ss -tlnp |
| All UDP | ss -uanp |
| Unix sockets | ss -xnp |
| Protocol statistics | ss -s |
| Find by port | ss -tlnp sport = :80 |
| Connections to host | ss -tn dst 192.168.1.1 |
| Established only | ss -tn state established |
| TIME_WAIT only | ss -tn state time-wait |
| Connection count | ss -tn state established | wc -l |
| Real-time monitoring | watch -n 1 ss -tlnp |
