When performing network diagnostics and monitoring on CentOS servers, many administrators are accustomed to using the classic `netstat` command. However, if you recently tried to install or use it on a new CentOS 7 or 8 system, you might find that this tool is no longer installed by default, or you're told it belongs to the deprecated `net-tools` package. This is not accidental, but rather a result of the Linux network tool stack moving towards greater modernization. In this situation, understanding functional alternatives to `netstat` becomes essential, not only to help you with your current network troubleshooting but also to keep up with technological advancements.

First, understanding why `netstat` is gradually being deprecated is key. The code maintenance of the `net-tools` package (which includes commands such as `netstat`, `ifconfig`, and `route`) has been stagnant for a long time. It relies on an older `/proc/net/` filesystem interface that interacts with the kernel. With the rapid development of the Linux kernel network stack, this older interface has become inadequate and inefficient in providing detailed information about some newer network protocols. Therefore, the community introduced the `iproute2` package as a long-term alternative. It communicates directly with the kernel through a more efficient `netlink` interface, offering more powerful features and more accurate information. In modern distributions like CentOS 7 and Rocky Linux 8/AlmaLinux 8, while you can still force-install `netstat` using `yum install net-tools`, official documentation and best practices recommend using the newer tools.

The most essential and direct alternative is the `ss` command, which covers almost all of `netstat`'s socket viewing capabilities, and is faster and provides more detailed information. `ss` is short for "socket statistics" and is also included in the `iproute2` package, which is installed by default. If you find `ss` unavailable, you can ensure its installation using the following command:

yum install iproute

Next, let's see how to use `ss` to implement common uses of `netstat`. To view all established TCP connections, previously you used `netstat -tn`, now you use:

ss -t

`-t` indicates the TCP protocol, and `-n` displays the address and port in numerical form (avoiding time-consuming hostname resolution). Want to see all listening ports (corresponding to `netstat -tlnp`)? You can do this:

ss -tlnp

Here, `-l` indicates that only listening (LISTEN) sockets will be displayed, and `-p` will show the process name and PID using that port, which is extremely helpful for troubleshooting port conflicts. For UDP sockets, simply replace `-t` with `-u`, i.e., `ss -ulnp`. A powerful feature is that you can use status filters to precisely locate connections. For example, to view all connections in the `ESTAB` (established) state, you can run:

ss -t state established

Or to view all connections except those in the listening state (i.e., all active data transfer connections):

ss -t state connected

Supported state keywords for `ss` include `established`, `syn-sent`, and `close-wait`, making it very convenient for diagnosing specific network problems (such as a large number of `TIME-WAIT` states).

Besides viewing socket connections, another common function of `netstat` is viewing the routing table, with the corresponding command being `netstat -rn`. A modern alternative to this function is the `ip route` command. To view the complete routing table, simply execute:

ip route show

or abbreviated as `ip r`. Its output format is clear and includes core information such as the target network, gateway, and network interface card. The `netstat -i` command, formerly used to view network interface statistics (such as packet count and error count), has now been perfectly replaced by the `ip -s link` command. Executing this command will give you detailed statistics for each network interface.

Of course, some features of `netstat` require a combination of other tools to fully cover. For example, `netstat -an` combined with `grep` to check if a port is in use can be done more efficiently with `ss`. However, if you want a comprehensive, human-readable overview of all connections that is closer to the style of the older `netstat -pantu`, consider using the newer `lsof` command. `lsof` is a powerful tool for listing open files on the system, and the `-i` option can be used to filter network files. Installation and basic usage are as follows:

yum install lsof
lsof -i

It can clearly show which process (PID) is using which port via which protocol (TCP/UDP) and can resolve the service name. Another scenario is that if you need to perform a quick port scan to confirm which ports are open on the server, the `nmap` tool is a more professional choice than `netstat`. First, install it:

yum install nmap

Then scan yourself:

nmap -sT -O localhost

This command attempts a TCP connection scan and probes the operating system, useful for security checks and compliance audits.

In daily maintenance of CentOS servers, how do you choose and combine these tools? For quick connection status viewing and problem diagnosis, `ss` should be your first choice. It's extremely fast and has concise syntax. When you need to configure or view broader network parameters such as network interfaces, routes, and policy routes, the entire `ip` command family (such as `ip addr`, `ip link`, and `ip route`) is your new toolbox. And when you need to deeply trace which specific process or file is using a port or network address, especially involving unconventional processes, `lsof -i` provides unparalleled detail.

Migrating from `netstat` to a new tool might feel a little unfamiliar at first, but it's a great opportunity to improve your skills. You can try replacing the old `netstat` commands one by one in your scripts. For example, a monitoring script used to view all IPv4 TCP listening ports and their corresponding processes can be changed from `netstat -tlnp` to `ss -tlnp`, which not only provides the same information but also improves execution efficiency.