netstat/ss Cheatsheet

Network state.

Overview

netstat is legacy; ss is the modern replacement. Both show network connection state; ss is much faster on busy hosts and supports richer filters. Use ss first.

• Connection enumeration. Listening sockets and established connections. The ground-truth view of the network state on the host.
• Process attribution. The -p flag links sockets to processes. Connection leaks become traceable.
• Rich filters. ss supports filters by state, port, source, destination. Narrows scope before pagination becomes painful.
• Statistics plus performance. -s shows protocol-level stats; ss is dramatically faster than netstat on busy hosts.

The approach

Three habits separate fluent ss from beginner ss: prefer ss over netstat, filter aggressively, and attribute every interesting connection to its process.

• ss -tlnp. TCP listening sockets with process. The standard starting point for “is the service even up?”
• ss -tnp state established. Established connections only. Catches connection-leak issues quickly.
• ss -tnp '( dport = :443 )'. Filter by destination port. Surgical view of egress to a specific service.
• ss -s and ss -i. -s for connection-summary statistics; -i for internal TCP info (cwnd, RTT) during performance investigations.

Why this compounds

ss fluency is high-leverage because the same toolset serves every TCP investigation the team runs. The patterns transfer to eBPF and modern observability tooling.

• Faster network investigation. Fluent ss produces fast root cause. MTTR drops on TCP-flavoured incidents.
• Connection-leak detection. Established-connection counts catch leaks before they exhaust file descriptors.
• Tool migration. Fluent ss removes the netstat dependency. The ecosystem has moved; the team should follow.
• Year-one investment, year-two habit. The first year establishes fluency under pressure. Subsequent years extend it.