[conspire] ss(8) (was: Re: Party with iproute2 like it's 1999)

Michael Paoli Michael.Paoli at cal.berkeley.edu
Fri Mar 13 01:58:10 PDT 2020 

ss(8) is damn fine!  :-)  Though it *does* take some getting used to.

One of many cool things with ss(8) is it does in-kernel filtering.
E.g., want to know if one has stuff listening on TCP ports 80 and/or 443?:
$ ss -nlt '( sport = :80 or sport = :443 )'
State      Recv-Q Send-Q Local Address:Port               Peer Address:Port
LISTEN     0      128         :::80                      :::*
LISTEN     0      128         :::443                     :::*
$
With ye olde netstat, one would be doing stuff with some type of
string or Regular Expression (RE) matching - both much less efficient, and
would also run risk of false positives from stuff matched not exactly
where one expected (unless one was super careful with the REs, and
netstat didn't give slightly unexpected changes in output format).
Likewise for state of connections, etc., ss(8) gets you exactly and only
what you want - no more, no less, and mostly don't need processing/filtering
after to narrow it down to only and exactly what one wants.  Sometimes
these differences in performance are very dramatic when one looks at a
very busy heavily loaded system with many hundreds of thousands or more
connections / traffic in various states.  In such case, ss(8) shines, and
is dang fast and efficient.  Using netstat and post-processing was often
not only much much slower, but itself was much more of a performance impact
on an already heavily loaded system.  I've seen folks hobble systems by
running netstat too frequently (e.g. one or more times per minute) on
heavily loaded systems ... when netstat would take more than a minute to
complete, things would often then get very bad very fast.  I've thus far
always seen ss(8) to continue to be pretty dang fast and efficient ... and
even more so if one uses the appropriate built-in filtering capabilities to
filter to just the data one actually wants/needs.

> From: "Nick Moffitt" <nick at zork.net>
> Subject: Re: [conspire] Party with iproute2 like it's 1999
> Date: Wed, 11 Mar 2020 22:56:46 +0000

> On 11Mar2020 06:08pm (-0400), Ruben Safir wrote:
>> ss is particuarly crap.  I know this changes nothing, it is is crap.
>
> What you may not know is that ss supports nearly all of the  
> command-line options you're familiar with in netstat.  Once I  
> learned this, I switched my muscle-memory to things like `ss -tln`  
> and moved on from there.

More information about the conspire mailing list