Linux – What does the output of ‘ss -s’ mean

First, I am going to state explicitly I am really “winging” this answer. I have networking experience a systems administrator, but my networking knowledge is not as deep as most. So hopefully I will get some of this right. And if someone who knows better reads this, please comment or even edit to correct.

When you run the ss (socket statistics) command with the -s flag that shows the socket status. So knowing that:

What does Total: 973 (kernel 996) mean? What is Total and what is kernel? Why Total seems to be smaller than kernel?

To my knowledge, system sockets don’t expire right away after use. So to the best of my knowledge the 973 is a reflection of total active sockets minus expired sockets, but the 996 connected to the kernel includes the 23 remaining stray sockets that the kernel has not gotten around to clean up yet. This page on kernel tuning gives a nice overview of the concept of how the kernel deals with sockets and how one can tune a system to better manage sockets on the kernel level.

In the line TCP: 600 (estab 280, closed 73, orphaned 0, synrecv 0, timewait 0/0), ports 333, what does the word ports mean?

The ports 333 just is a tally of all port activity on your system at that specific moment. The 333 matches the sum of estab 280 and closed 73. Specifics about those ports would be summarized below that list. But in the context of sockets that line basically states there are 600 sockets available and of those 600, 333 are in some way associated to ports on the system. For more details on what a socket is versus a port, read this excellent answer on Stack Overflow.

What does the asterisk (*) mean?

In the context of the example you show:

Transport Total     IP        IPv6
*         996       -         -

See how that 996 the kernel total in Total: 973 (kernel 996)? That * correlates to sockets that are simply open/managed regardless of of their transport layer on the kernel level.

But that said, yes… This is all quite confusing on a novice level.