Understanding Send-Q in 'ss' and 'netstat'
Clement
5 min read·Oct 12, 2024
I noticed that Send-Q is always greater than 0 in the output of ss:
root@machine:~# ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 0.0.0.0:http 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:https 0.0.0.0:*
LISTEN 0 4096 [::]:http [::]:*
LISTEN 0 128 [::]:ssh [::]:*
LISTEN 0 1 [::1]:omniorb [::]:*
LISTEN 0 4096 [::]:https [::]:*
LISTEN 0 4096 *:2377 *:*
LISTEN 0 4096 *:7946 *:*
But in the netstat output, Send-Q is 0:
root@machine:~# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 localhost:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 127.0.0.1:omniorb [::]:* LISTEN
tcp6 0 0 [::]:https [::]:* LISTEN
tcp6 0 0 [::]:2377 [::]:* LISTEN
tcp6 0 0 [::]:7946 [::]:* LISTEN
I finally figured out why. The Send-Q value in the ss output actually represents the 'maximum size of the SYN backlog' according to the documentation:
Recv-Q
Established: The count of bytes not copied by the user program
connected to this socket. Listening: Since Kernel 2.6.18 this
column contains the current syn backlog.
Send-Q
Established: The count of bytes not acknowledged by the remote
host. Listening: Since Kernel 2.6.18 this column contains the
maximum size of the syn backlog.
To make it clearer, it might be better to rename Send-Q to Backlog. However, for compatibility reasons, it should remain the same.