difference between netstat and ss in linux?

Question

In linux, netstat command tells us information of active sockets in system.

I understand that netstat uses /proc/net/tcp to acquire the system

Answer 1

I've made a comparison table (in Google Docs) (light HTML link) for converting between netstat and ss arguments. It's too big to include and update it here.

The short version of difference between short arguments is:

Arguments that require attention: r N i g M W T v C F c A U 2 f

Arguments that are safe to leave as is: h V l a n Z s p e o 4 6 x t u S w

Answer 2

ss is a utility used to investigate sockets in Linux and Unix systems. It shows information similar to netstat and able to dump socket statistics.

But netstat cannot be replaced full by ss. Some netstat commands correspond better to ip command.

    $ netstat -r   replaced by  $ ip route
    $ netstat -i   replaced by  $ ip -s lin
    $ netstat -g   replaced by  $ ip maddr

I would say the "older" netstat command can be replaced with both ss and ip commands.

Answer 3

ss is included in iproute2 package and is the substitute of the netstat. ss is used to dump socket statistics. It shows information similar to netstat. It can display more TCP and state information than other tools. It is a new, incredibly useful and faster (compared to netstat) tool for tracking TCP connections and sockets.

Answer 4

It gets them from kernel space directly using Netlink which uses the classic sockets API.

Answer 5

Check out the source for ss:

https://github.com/shemminger/iproute2/blob/master/misc/ss.c

Basically it directly queries the kernel and can respond much faster than netstat.