How to use ss command instead of netstat in Linux operation and maintenance
- 2021-07-01 08:36:06
- OfStack
Preface
When operating and managing Linux servers, one of the most commonly used commands is netstat. I often use this command to see which processes are listening on ports on the current server, which is mainly used to diagnose the working status of network services.
However, I recently installed an Ubuntu hairstyle version, and found that netstat was not installed by default, which made me feel very strange. After installing it manually, I found that man pages suggested that netstat command was already deprecated, so it is recommended to use ss command instead.
This program is mostly obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.
netstat man pages
Usage of netstat
netstat has many, many parameters, and I always use one combination, so that I can't remember why these parameters are:
netstat -nplThe result is this:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 655/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 890/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 30790/cupsd
tcp 0 0 0.0.0.0:18025 0.0.0.0:* LISTEN 890/sshd
tcp6 0 0 :::22 :::* LISTEN 890/sshd
tcp6 0 0 ::1:631 :::* LISTEN 30790/cupsd
tcp6 0 0 :::9090 :::* LISTEN 15415/./prometheus
tcp6 0 0 :::18025 :::* LISTEN 890/sshd
udp 0 0 127.0.0.53:53 0.0.0.0:* 655/systemd-resolve
udp 0 0 0.0.0.0:631 0.0.0.0:* 30792/cups-browsed
udp 0 0 0.0.0.0:5353 0.0.0.0:* 757/avahi-daemon: r
udp 0 0 0.0.0.0:42360 0.0.0.0:* 757/avahi-daemon: r
udp6 0 0 :::58232 :::* 757/avahi-daemon: r
udp6 0 0 :::5353 :::* 757/avahi-daemon: r
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 35116 1304/gnome-session- @/tmp/.ICE-unix/1304
unix 2 [ ACC ] SEQPACKET LISTENING 1448 1/init /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 34277 1270/systemd /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 34282 1270/systemd /run/user/1000/gnupg/S.gpg-agent.ssh
unix 2 [ ACC ] STREAM LISTENING 33510 1270/systemd /run/user/1000/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 33511 1270/systemd /run/user/1000/pulse/native
unix 2 [ ACC ] STREAM LISTENING 33512 1270/systemd /run/user/1000/gnupg/S.gpg-agent.extraThe most commonly used combination of commands shows the result in two paragraphs, the first of which shows listening for the TCP/UDP protocol, and the second of which shows listening for the socks file. Parameter n means to display IP address in digital format, otherwise it will display host name or domain name, parameter p means to display process name (sometimes it can't be displayed), and l means to pay attention to socket in LISTENING state.
Through the above command, we can see all the socket opened in the system. If you start a network service or develop a network service to open the port by yourself, you should be able to see the port opened by yourself through this command. If you can't see it, you should not be able to open the port correctly. You should inquire about the reason. So this is a good debugging command.
Usage of ss
The most basic usage of netstat is introduced above. Of course, there are many other uses, but skip the table first. If we want to use ss command instead of netstat, how can we achieve similar effect?
ss -atlpThis is a parameter combination that I groped for myself. At present, I don't recite it fluently, and I need to read one document at a time:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:* users:(("systemd-resolve",pid=655,fd=13))
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:(("sshd",pid=890,fd=5))
LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:* users:(("cupsd",pid=30790,fd=7))
LISTEN 0 128 0.0.0.0:18025 0.0.0.0:* users:(("sshd",pid=890,fd=3))
LISTEN 0 128 [::]:ssh [::]:* users:(("sshd",pid=890,fd=6))
LISTEN 0 5 [::1]:ipp [::]:* users:(("cupsd",pid=30790,fd=6))
LISTEN 0 128 *:9090 *:* users:(("prometheus",pid=15415,fd=3))
LISTEN 0 128 [::]:18025 [::]:* users:(("sshd",pid=890,fd=4))This is the result of the ss command. As you can see, the format is very different from that of netstat, which is not as compact and intuitive as netstat command. This is one of the reasons why many people criticize this order. Of course, the voice criticizing this criticism thinks that people just stick to a habit and are unwilling to move forward. Of course, it's not wrong to say so. Take Charles personally. Even if I joined the work in 2010 and learned the netstat command, I have used it for nearly 10 years now, and it has never changed. Of course, it looks very pleasing to the eye.
Of course, there is also a reason put forward by foreigners, saying that the name of ss is not good. In fact, ss may mean socket statistics. After abbreviation, it has only two letters, which is not easy to associate and not as intuitive as netstat. Of course, this is my explanation, not the reason for foreigners to complain. What they complain about is that every time they mention ss, they will think of Hitler! Is it incredible? I am a post-80s person in my age, and I have no impression of this. The key is that we mainly use Chinese. It is estimated that when you see ss, you will think of ladders at most, but you will never think of Hitler. The Great Nazi had an armed force, formerly known as the SS Special Mobile Unit, later renamed the Waffen-SS. Its German abbreviation is SS.
Don't gossip, talk about a few parameters, a parameter is to show all the meaning, t parameter means to show TCP protocol, l represents LISTENING state, p represents process information. From the above table, we can see that the information printed by p parameters is not as refined as that of netstat. But it is more perfect, showing the process name and PID and FD. But because of the double parentheses, the key/value format, with quotation marks, looks messy. Of course, we can format it with 1 command, but it is still too much trouble.
What is the reason for the replacement?
This is probably my most curious thing. However, I searched a lot of information on the Internet, which was basically vague. This also makes me a little helpless.
In general, we can see that the package net-tools is going to be replaced by the package iproute. The reasons are as follows: 1. This package is too old; 2. This package does not support many new kernel features (but does not say which features); the interface is not optimized enough (unfriendly to the command line); 3. ifconfig in net-tools does have many shortcomings; 4. I no longer want to maintain net-tools in the future.
Luk Claes and me, as the current maintainers of net-tools, we've been thinking about it's future. Net-tools has been a core part of Debian and any other linux based distro for many years, but it's showing its age.
It doesnt support many of the modern features of the linux kernel, the interface is far from optimal and difficult to use in automatisation, and also, it hasn't got much love in the last years.
On the other side, the iproute suite, introduced around the 2.2 kernel line, has both a much better and consistent interface, is more powerful, and is almost ten years old, so nobody would say it's untested.
Hence, our plans are to replace net-tools completely with iproute, maybe leading the route for other distributions to follow. Of course, most people and tools use and remember the venerable old interface, so the first step would be to write wrappers, trying to be compatible with net-tools.
At the same time, we believe that most packages using net-tools should be patched to use iproute instead, while others can continue using the wrappers for some time. The ifupdown package is obviously the first candidate, but it seems that a version using iproute has been available in experimental since 2007.
https://serverfault.com/questions/633087/where-is-the-statement-of-deprecation-of-ifconfig-on-linux
There are also analyses from the principle level: the current netstat and ifconfig commands complete tasks by reading and writing virtual files under the/proc directory. This thing is no problem on small business systems, but in large-scale systems, it may harm the performance of the system and so on. In contrast, the ss and ip commands use the netlink sockets features of the Linux kernel. There are fundamental differences. Although old commands can be rewritten with new principles, no one actually does that, mainly because there are some political issues from different programmer groups, and everyone disagrees...
Of course, at a deeper level, When we use such debugging commands, we still want to know the state of the kernel in essence. In fact, the kernel has changed the whole principle of networking module. On the other hand, I also require commands to display information as before. The format of display level has deviated from the real principle. Therefore, in the long run, it is inevitable to replace these two commands.
Conclusion
It is better for those of us who do technology to keep pace with the times. Although the previous commands are familiar, easy to use, easy to get, and even unable to forget, we should keep learning the new ones. Many hairstyle versions do not come with net-tools packages by default. Although they can still be installed manually, the attitude behind this is clear. On the other hand, when we do technology, we should also guard against the rigidity of our brains, or keep curiosity and enthusiasm for new things.