How to Use netstat and ss for Network Debugging

Sometimes, network problems can be tricky to understand. Maybe your app isn’t connecting. Or maybe your server is listening, but no one can reach it. When that happens, you need tools to help you see what’s going on behind the scenes.

In this post, I’ll show you how to use two tools I often reach for: netstat and ss. They help you look at network activity on your Linux machine. That includes open ports, active connections, and which programs are using them.

netstat and ss are command-line tools. They both show network statistics, but ss is newer and faster. I’ll explain the differences and show how I use each one to debug problems.

Let’s break it down into simple steps so it’s easier to follow.


What are netstat and ss?

First, let’s define the tools.

netstat

netstat stands for network statistics. It’s been around for a long time. You can use it to check:

  • What ports your machine is listening on.
  • Which IP addresses it’s connected to.
  • How many packets are being sent and received.

One downside is that it’s slower and doesn’t show as much detail as newer tools.

ss

ss means socket statistics. It does the same job as netstat, but faster and with more options. Most newer Linux distributions prefer ss.

When I switched from netstat to ss, I noticed the results came back almost instantly. It helped me figure out network issues faster.


Installing the Tools

You might already have these tools installed. But if not, here’s how to get them:

On Debian/Ubuntu:

sudo apt update
sudo apt install net-tools iproute2

On CentOS/RHEL:

sudo yum install net-tools iproute

On AlmaLinux or Rocky Linux:

sudo dnf install net-tools iproute

That will give you both netstat and ss.


Checking Open Ports

Sometimes you want to know what services are listening on your server. For example, is your web server running? Is SSH open?

Here’s how to check.

Using netstat

sudo netstat -tuln

What this does:

  • -t = show TCP
  • -u = show UDP
  • -l = only show listening ports
  • -n = show IP addresses and ports in numbers (not names)

You’ll see a list of IP addresses and port numbers like this:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     

That tells you SSH is listening on port 22 and your web server is on port 80.

Using ss

The ss command gives similar info, just faster:

sudo ss -tuln

You’ll get output that looks a bit different but shows the same data.


Seeing Active Connections

Maybe your server is overloaded. Or maybe someone is connecting too often. You can check active connections with:

netstat

sudo netstat -tun

This shows all TCP and UDP connections.

Want to filter by IP or port? You can use grep:

sudo netstat -tun | grep 443

That shows only connections using port 443 (HTTPS).

ss

sudo ss -tun

I like ss better here because it loads much faster. It’s also easier to use with filters.


Knowing Which Program Uses Which Port

You may want to know what app is using a specific port. Maybe your web server isn’t starting because something else is already using port 80.

Use this command with netstat:

sudo netstat -tulpn

Or with ss:

sudo ss -tulpn

The -p flag shows the process ID (PID) and program name.

Example:

tcp   LISTEN  0   128  0.0.0.0:80   0.0.0.0:*   users:(("nginx",pid=1324,fd=6))

This tells you that nginx is using port 80.

This has helped me more than once when something unexpected was using a port I needed.


Useful Flags to Remember

Both netstat and ss support lots of flags. Here are the ones I use most:

For netstat

  • -t – TCP
  • -u – UDP
  • -l – Listening ports
  • -n – Show numeric IPs
  • -p – Show program names

For ss

  • -t – TCP
  • -u – UDP
  • -l – Listening
  • -n – No DNS resolution
  • -p – Show process info

Filtering with ss

ss has a nice feature: you can filter by port or state.

Want to see all connections to port 22?

sudo ss -tn sport = :22

Want to see connections that are established?

sudo ss -tn state established

This kind of filtering saves time, especially on busy servers.


Three Handy Lists for Debugging

When to Use netstat or ss

  • When your server seems slow or overloaded
  • When a service isn’t reachable
  • When you want to check if a firewall is blocking traffic

Common Issues These Tools Help With

  • A port is open, but nothing is connecting
  • A service is running but not listening on the right port
  • Too many connections from a single IP
  • Two apps trying to use the same port

Things I Recommend Doing

  • Use ss instead of netstat if your system supports it
  • Always use -n to avoid slow DNS lookups
  • Combine with grep to narrow results

My Personal Tips

Here’s a trick I use when I set up a new server. After I install my apps, I run:

ss -tulpn

I save the output in a text file. That way, if something goes wrong later, I can compare the current list to what it looked like when it was working.

Also, if I’m not sure a firewall is blocking traffic, I check if the service is actually listening. Many times, I thought the firewall was the issue — but it was just a service not running.


Summary

Debugging network problems isn’t fun, but with the right tools, it gets easier. netstat and ss show you what’s going on with ports, programs, and connections. If something isn’t working, these tools often help you find the cause.

Here’s what we learned:

  • netstat is older, but still useful.
  • ss is faster and has more options.
  • You can check open ports, active connections, and running programs.
  • Filters and flags make your search more accurate.

I hope this helps you feel more confident when your network acts up.

Do you want to learn how to use these tools with iptables or firewalld? That’s a great next step. Let me know, and I’ll write a guide for that too.

Leave a Reply