ipdetecto.com logo
ipdetecto.com
My IPSpeed
Knowledge Hub
HomeKnowledge HubNetstat Vs Ss
© 2026 ipdetecto.com
support@ipdetecto.comAboutContactPrivacyTermsllms.txt
Basics
5 MIN READ
Apr 19, 2026

netstat vs ss on Linux

ss from iproute2 reads socket info from kernel netlink quickly; netstat from net-tools is legacy but still appears in tutorials—prefer ss for scripts, columns, and filter expressions.

Why ss exists

ss is part of iproute2 and talks to the kernel over netlink, so it scales better on hosts with huge connection tables. netstat historically parsed /proc and lived in the older net-tools package—still correct, just slower and less featured.

Everyday mappings

Goalssnetstat
Listeners + PIDsss -tulpnnetstat -tulpn
Established flowsss -tan state establishednetstat -tan + grep
Timers / congestionss -tiLimited / varies

Scripting tips

Use ss -H to omit header, ss -4/-6 to split stacks, and JSON output on newer versions for parsers—avoid brittle column slicing.

Related: using netstat and ss, checking open ports, Linux networking commands, iptables vs UFW.

Frequently Asked Questions

Q.Should I install net-tools just for netstat?

Usually no—install docs may mention netstat, but `ss` ships with iproute2 on modern distros and covers the same audits.

Q.Why does ss show users as `-` until I use sudo?

Unprivileged users cannot see other users’ process names on sockets; run with least privilege escalation only when required.

Q.Does netstat lie about Docker published ports?

Both show host listeners created by docker-proxy or iptables DNAT; always correlate with `docker ps` and `ss` output.

Q.How do I filter ss output by destination port?

Use `ss dst :443` style filters or `sport`/`dport` expressions—faster than piping megabytes through awk.

Q.Is ss available on macOS?

macOS uses `netstat` and `sockstat`; `ss` is Linux-centric—do not copy Linux-only flags into BSD scripts.

Q.Why do counters differ between ss and /proc/net/sockstat?

Timing and snapshot boundaries differ; use one tool per investigation and capture timestamps.

Q.Can I replace lsof -i with ss?

Often yes—`ss -tulpn` overlaps for listeners; lsof still shines for unbound UDP and file+socket combos.

Q.What is the Windows equivalent?

Use `Get-NetTCPConnection` / `netstat` on Windows; concepts map but flags differ—see Windows netstat article on this site.
TOPICS & TAGS
netstat vs ssss -tulpniproute2 socketslinux listening ports