Sometimes, network problems can be tricky to understand. Maybe your app isn’t connecting. Or maybe your server is listening, but no one can reach it. When that happens, you need tools to help you see what’s going on behind the scenes.
In this post, I’ll show you how to use two tools I often reach for: netstat
and ss
. They help you look at network activity on your Linux machine. That includes open ports, active connections, and which programs are using them.
netstat and ss are command-line tools. They both show network statistics, but ss
is newer and faster. I’ll explain the differences and show how I use each one to debug problems.
Let’s break it down into simple steps so it’s easier to follow.
What are netstat and ss?
First, let’s define the tools.
netstat
netstat
stands for network statistics. It’s been around for a long time. You can use it to check:
- What ports your machine is listening on.
- Which IP addresses it’s connected to.
- How many packets are being sent and received.
One downside is that it’s slower and doesn’t show as much detail as newer tools.
ss
ss
means socket statistics. It does the same job as netstat
, but faster and with more options. Most newer Linux distributions prefer ss
.
When I switched from netstat
to ss
, I noticed the results came back almost instantly. It helped me figure out network issues faster.
Installing the Tools
You might already have these tools installed. But if not, here’s how to get them:
On Debian/Ubuntu:
sudo apt update
sudo apt install net-tools iproute2
On CentOS/RHEL:
sudo yum install net-tools iproute
On AlmaLinux or Rocky Linux:
sudo dnf install net-tools iproute
That will give you both netstat
and ss
.
Checking Open Ports
Sometimes you want to know what services are listening on your server. For example, is your web server running? Is SSH open?
Here’s how to check.
Using netstat
sudo netstat -tuln
What this does:
-t
= show TCP-u
= show UDP-l
= only show listening ports-n
= show IP addresses and ports in numbers (not names)
You’ll see a list of IP addresses and port numbers like this:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
That tells you SSH is listening on port 22 and your web server is on port 80.
Using ss
The ss
command gives similar info, just faster:
sudo ss -tuln
You’ll get output that looks a bit different but shows the same data.
Seeing Active Connections
Maybe your server is overloaded. Or maybe someone is connecting too often. You can check active connections with:
netstat
sudo netstat -tun
This shows all TCP and UDP connections.
Want to filter by IP or port? You can use grep
:
sudo netstat -tun | grep 443
That shows only connections using port 443 (HTTPS).
ss
sudo ss -tun
I like ss
better here because it loads much faster. It’s also easier to use with filters.
Knowing Which Program Uses Which Port
You may want to know what app is using a specific port. Maybe your web server isn’t starting because something else is already using port 80.
Use this command with netstat
:
sudo netstat -tulpn
Or with ss
:
sudo ss -tulpn
The -p
flag shows the process ID (PID) and program name.
Example:
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1324,fd=6))
This tells you that nginx
is using port 80.
This has helped me more than once when something unexpected was using a port I needed.
Useful Flags to Remember
Both netstat
and ss
support lots of flags. Here are the ones I use most:
For netstat
-t
– TCP-u
– UDP-l
– Listening ports-n
– Show numeric IPs-p
– Show program names
For ss
-t
– TCP-u
– UDP-l
– Listening-n
– No DNS resolution-p
– Show process info
Filtering with ss
ss
has a nice feature: you can filter by port or state.
Want to see all connections to port 22?
sudo ss -tn sport = :22
Want to see connections that are established?
sudo ss -tn state established
This kind of filtering saves time, especially on busy servers.
Three Handy Lists for Debugging
When to Use netstat or ss
- When your server seems slow or overloaded
- When a service isn’t reachable
- When you want to check if a firewall is blocking traffic
Common Issues These Tools Help With
- A port is open, but nothing is connecting
- A service is running but not listening on the right port
- Too many connections from a single IP
- Two apps trying to use the same port
Things I Recommend Doing
- Use
ss
instead ofnetstat
if your system supports it - Always use
-n
to avoid slow DNS lookups - Combine with
grep
to narrow results
My Personal Tips
Here’s a trick I use when I set up a new server. After I install my apps, I run:
ss -tulpn
I save the output in a text file. That way, if something goes wrong later, I can compare the current list to what it looked like when it was working.
Also, if I’m not sure a firewall is blocking traffic, I check if the service is actually listening. Many times, I thought the firewall was the issue — but it was just a service not running.
Summary
Debugging network problems isn’t fun, but with the right tools, it gets easier. netstat
and ss
show you what’s going on with ports, programs, and connections. If something isn’t working, these tools often help you find the cause.
Here’s what we learned:
netstat
is older, but still useful.ss
is faster and has more options.- You can check open ports, active connections, and running programs.
- Filters and flags make your search more accurate.
I hope this helps you feel more confident when your network acts up.
Do you want to learn how to use these tools with iptables
or firewalld
? That’s a great next step. Let me know, and I’ll write a guide for that too.