ss Is the New netstat (And It's Better)

If you’re still using netstat in 2025, you’re using a deprecated tool. It’s been abandoned for years. The Linux community moved on to ss (socket statistics), which is faster, more informative, and does everything netstat did—plus more.

Here’s the thing: netstat reads from /proc/net/ files, which is slow and inefficient. ss talks directly to the kernel using netlink sockets, making it orders of magnitude faster. On a system with thousands of connections, the difference is noticeable.

Let me show you how to replace every netstat command you use.

Basic Connection Info

Find what’s listening on a port:

# Old way (netstat)
$ netstat -tlnp | grep 8080

# New way (ss)
$ ss -tlnp | grep 8080
LISTEN    0    128                      *:8080              *:*    users:(("python",1234,3))

Much cleaner. The ss output is more readable, and the PID is clearer.

See all established connections:

# netstat
$ netstat -tnp | grep ESTABLISHED

# ss
$ ss -tnp | grep ESTABLISHED
ESTAB  0  0  192.168.1.5:54321  example.com:443  users:(("curl",9876,3))

Common Options

ss uses similar flags to netstat, but they’re faster and more reliable:

-t  # TCP sockets only
-u  # UDP sockets only
-l  # Listening sockets only
-n  # Show IP addresses (not hostnames—faster)
-p  # Show process information
-a  # All sockets (listening + established)
-s  # Statistics summary
-e  # Extended information
-i  # Show internal TCP information

Pattern 1: Find Process Using a Port

$ ss -tlnp | grep :3000
LISTEN 0 128 0.0.0.0:3000 0.0.0.0:* users:(("node",5678,11))

Process 5678 (node) is listening on port 3000. Done.

Compare to netstat:

$ netstat -tlnp | grep 3000
tcp  0  0 0.0.0.0:3000  0.0.0.0:*  LISTEN  5678/node

Similar, but ss is faster and clearer.

Pattern 2: See All Network Connections

$ ss -tnp
State      Recv-Q Send-Q      Local Address:Port      Peer Address:Port Process
LISTEN     0      128               127.0.0.1:8080          0.0.0.0:*  users:(("python",1234,3))
ESTAB      0      0          192.168.1.5:54321    example.com:443  users:(("curl",9876,3))
TIME_WAIT  0      0          192.168.1.5:54322    example.com:443
...

Shows state, local/remote addresses, and process info. The Recv-Q and Send-Q columns show queued bytes waiting to be read or sent.

Pattern 3: Filter by Connection State

$ ss -tnp state established
ESTAB 0 0 192.168.1.5:54321 example.com:443 users:(("curl",9876,3))

$ ss -tnp state listening
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:* users:(("python",1234,3))

$ ss -tnp state time-wait
TIME_WAIT 0 0 192.168.1.5:54322 example.com:443

Much easier to filter than parsing netstat output.

Pattern 4: Filter by Source/Dest Address

# All connections to a specific host
$ ss -tnp dst 192.168.1.5

# All connections from a specific port
$ ss -tnp src 192.168.1.5:54321

# All connections to a destination port
$ ss -tnp dport eq 443

Powerful filtering without grep.

Pattern 5: Get Statistics

$ ss -s
TCP:   1234 established, 45 syn-recv, 67 time-wait, 89 closed
UDP:   234 rx, 345 tx
ICMP:  12 received, 5 sent
...

Quick summary of connection counts. Useful for understanding system load.

Pattern 6: Find Connections by Process

# All sockets belonging to postgres
$ ss -tnp | grep postgres

# Or use --processes with a PID
$ ss -tnep pid = 1234
ESTAB 0 0 127.0.0.1:5432 127.0.0.1:40123 users:(("psql",1234,5)) ino:12345 sk:1234@5678

The -e flag shows even more detail (inode, socket memory, etc.).

Why ss Is Better

Speed. Talks to the kernel directly instead of reading /proc files. On systems with 10k+ connections, this is noticeable.
Reliability. The kernel gives you consistent data. /proc files can be incomplete or outdated.
More information. Shows TCP state details, memory usage, queued bytes. Useful for diagnosing network issues.
Active development. netstat is unmaintained. ss gets fixes and features.
Better filtering. Use expressions instead of piping to grep.

Replacing Your Old Commands

Task	netstat	ss
Listen on port	`netstat -tlnp \| grep 8080`	`ss -tlnp \| grep :8080`
All connections	`netstat -tnp`	`ss -tnp`
Established only	`netstat -tnp \| grep ESTAB`	`ss -tnp state established`
Process on port	`netstat -tlnp \| grep 3000`	`ss -tlnp \| grep :3000`
Summary stats	`netstat -s`	`ss -s`
UDP sockets	`netstat -tnup`	`ss -unp`
All listening	`netstat -tlnp`	`ss -tlnp`

One More Thing: netstat Equivalents

If you have scripts using netstat, here’s the exact replacements:

# netstat -atn  →  ss -atn  (same flags!)
# netstat -ntp  →  ss -ntp
# netstat -tln  →  ss -tln
# netstat -at   →  ss -at
# netstat -s    →  ss -s

Most commands work 1:1. Just replace netstat with ss.

The Bottom Line

Stop using netstat. Your muscle memory will thank you once you realize ss is faster and the output is clearer. The tool is on every modern Linux system, and it’s the right way to inspect network sockets.

Make the switch. Your 2 AM debugging sessions will be slightly less frustrating.