by Anish
Posted on Friday September 13
The ps utility displays a header line, followed by lines containing information about all of your processes that have controlling terminal. The ps command only produces a snapshot of processes, meaning the information produced is static
This is the first command where most of the system administrator uses to troubleshoot the environment so in this article, we will quickly discuss ps related tips that users may find useful.
By simply typing ps
will display the process for the current shell
# ps
PID TTY TIME CMD
20048 pts/0 00:00:00 sudo
20049 pts/0 00:00:00 su
20050 pts/0 00:00:00 bash
20241 pts/0 00:00:00 ps
Note the time format is 00:00:00
indicates no CPU time has been given by the kernel
The output headers and their meaning
The ps -A
will display information about other users’ processes, including those without controlling terminals.
# ps -A
PID TTY TIME CMD
1 ? 00:01:15 systemd
2 ? 00:00:00 kthreadd
3 ? 00:35:29 ksoftirqd/0
.....
ps -e Identical to ps -A. many people prefer ps -e
the ps -l
will display information associated with the following keywords: uid, pid, ppid, flags, cpu, pri, nice, vsz=SZ, rss, wchan, state=S, paddr=ADDR, tty, time, and command=CMD
# ps -l
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
4 S 0 20048 20009 0 80 0 - 13233 poll_s pts/0 00:00:00 sudo
4 S 0 20049 20048 0 80 0 - 13071 wait pts/0 00:00:00 su
4 S 0 20050 20049 0 80 0 - 5340 wait pts/0 00:00:00 bash
0 R 0 20489 20050 0 80 0 - 7229 - pts/0 00:00:00 ps
The output headers and their meaning
the ps -u
will display information associated with the following keywords: user, pid, %cpu, %mem, vsz, rss, tt, state, start, time, and command
# ps -u
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1048 0.0 0.0 15936 1500 tty1 Ss+ Jul13 0:00 /sbin/agetty --noclear tty1 linux
root 20048 0.0 0.0 52932 3996 pts/0 S 12:22 0:00 sudo su
root 20049 0.0 0.0 52284 3568 pts/0 S 12:22 0:00 su
root 20050 0.0 0.0 21360 3832 pts/0 S 12:22 0:00 bash
The output headers and their meaning
R
running or runnable (on run queue)D
uninterruptible sleep (usually IO)S
interruptible sleep (waiting for an event to complete)Z
defunct/zombie, terminated but not reaped by its parentT
stopped, either by a job control signal or because it is being tracedFor BSD formats and when the stat keyword is used, additional characters may be displayed:
BSD formats
<
high-priority (not nice to other users)N
low-priority (nice to other users)L
has pages locked into memory (for real-time and custom IO)s
is a session leaderl
is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)+
is in the foreground process groupSTART : time started
ps -e
ps -ef
ps -eF
ps -ely
ps -ejH
ps axjf
ps -eLf
ps axms
ps -u ansible,www-data
This will attach an extra header called LABEL , and show security context for SELinux
ps -eo euser,ruser,suser,fuser,f,comm,label
ps axZ
ps -eM
/usr/sbin/mysqld (enforce) 19926 ? 78-11:31:17 mysqld
unconfined 20005 ? 00:00:00 sshd
unconfined 20009 pts/0 00:00:00 bash
unconfined 20048 pts/0 00:00:00 sudo
ps -U root -u root u
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 37772 5176 ? Ss Jul13 1:15 /sbin/init
root 2 0.0 0.0 0 0 ? S Jul13 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S Jul13 35:31 [ksoftirqd/0]
The output headers and their meaning
Using the -o
or -format
options to build user-defined output formats as shown below.
ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
ps -Ao pid,tt,user,fname,tmout,f,wchan
ps -C mysqld
PID TTY TIME CMD
19926 ? 78-10:23:55 mysqld
ps -C mysqld -o pid=
ps -q 19926 -o comm=
mysqld
ps -aef --forest
UID PID PPID C STIME TTY TIME CMD
root 2 0 0 Jul13 ? 00:00:00 [kthreadd]
root 3 2 0 Jul13 ? 00:35:31 \_ [ksoftirqd/0]
root 5 2 0 Jul13 ? 00:00:00 \_ [kworker/0:0H]
root 7 2 0 Jul13 ? 01:49:34 \_ [rcu_sched]
root 8 2 0 Jul13 ? 00:00:00 \_ [rcu_bh]
To find children of the process pass the PID of the process -p <pid>
in the pstree
command
pstree -p 19926
mysqld(19926)─┬─{mysqld}(19933)
├─{mysqld}(19934)
├─{mysqld}(19935)
├─{mysqld}(19936)
├─{mysqld}(19937)
├─{mysqld}(19938)
use the -L
command line option to display all the threads attached with that processid
ps -L 19926
PID LWP TTY STAT TIME COMMAND
19926 19926 ? Ssl 2990:32 /usr/sbin/mysqld
19926 19933 ? Ssl 0:00 /usr/sbin/mysqld
19926 19934 ? Ssl 1:59 /usr/sbin/mysqld
The output headers and their meaning
ps -efww
root 900 1 0 Jul13 ? 00:00:02 /usr/lib/policykit-1/polkitd --no-debug
root 906 1 0 Jul13 ? 00:00:00 /sbin/dhclient -1 -v -pf /run/dhclient.ens3.pid -lf /var/lib/dhcp/dhclient.ens3.leases -I -df /var/lib/dhcp/dhclient6.ens3.leases ens3
root 927 1 0 Jul13 ? 00:00:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
.....
.....
the -T
will display information about processes attached to the device associated with the standard input.
the t
Display information about processes attached to the specified terminal devices.
ps -ef --sort=start_time
ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu | head
PID PPID CMD %MEM %CPU
19926 1 /usr/sbin/mysqld 9.9 125
7374 5367 /usr/lib/jvm/java-8-openjdk 26.1 32.1
27969 27959 python lsat.py 1.0 20.0
25821 1 Xtightvnc :2 -desktop X -au 3.0 3.0
ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%mem | head
PID PPID CMD %MEM %CPU
7374 5367 /usr/lib/jvm/java-8-openjdk 26.1 32.1
19926 1 /usr/sbin/mysqld 9.9 125
25821 1 Xtightvnc :2 -desktop X -au 3.0 3.0
27969 27959 python lsat.py 1.0 20.0
25884 1 xfdesktop 0.8 0.0
using with watch
command , to find which process is causing high cpu
watch -n 1 'ps -aux | sort -nrk 4 | head'
-n
is to specify the time interval, execute the line every 1 second. Ctrl+c to quit watch.
or
watch -n 1 'ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu'
which process is eating memory
watch -n 1 'ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%mem'
Watching specific command for the troubleshoot
ps u -C mysqld
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mysql 19926 125 9.9 1676224 404556 ? Ssl Jul13 113018:30 /usr/sbin/mysqld
with watch command every 1 second.
watch -n 1 "ps u -C mysqld"
Every 1.0s: ps u -C mysqld Fri Sep 14 15:01:33 2018
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mysql 19926 125 9.9 1676224 404556 ? Rsl Jul13 113020:52 /usr/sbin/mysqld
ps -ef | cut -d " " -f 1 | sort -n | uniq -c | sort -nr
121 root
28 ansible
5 www-data
...
ps aux |grep "defunct"
Note: Zombie processes can not be killed with the normal commands like kill -9 PID
, you will have to reboot the system to kill them
ps aux | awk '{if ($8 ~ "D") print $0}'
Through watch command
watch -d -n 1 "(ps aux | awk '\$8 ~ /D/ { print \$0 }')"
# ps -T 7374 | cut -d " " -f 2 | wc -l
18
This command will output command and arguments returned by the ps
command
ps ax | awk -v p='COMMAND' 'NR==1 {n=index($0, p); next} {print substr($0, n)}'
/sbin/init
[kthreadd]
[ksoftirqd/0]
[kworker/0:0]
[kworker/0:0H]
...
....
ps -e
and ps e
is not same. Try out in your shell
ps -ef
and ps aux
is same, there is historical divergences between POSIX and BSD systems
pgrep & pkill looks through the currently running processes and lists the process IDs which match the selection criteria to stdout
for example this will only list the processes called sshd AND owned by root
# pgrep -u root sshd
973
19905
and pgrep -u root,daemon
will list the processes owned by root or daemon.
To kill a process you need the processid and then using SIGKILL
or option 9
will terminate the process
for example to kill the mysql process, first find the PID and then kill the process.
kill -9 $(pgrep -f mysql)
or
kill -9 <pid_of_mysql>
if no option is specified , then it will Send the default signal, SIGTERM, to all those processes.
kill pid
To get all the available signal use kill -l
, OMG there are 64 signals, each signal carry a specific meaning by the OS.
kill -l
1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP
6) SIGABRT 7) SIGBUS 8) SIGFPE 9) SIGKILL 10) SIGUSR1
11) SIGSEGV 12) SIGUSR2 13) SIGPIPE 14) SIGALRM 15) SIGTERM
16) SIGSTKFLT 17) SIGCHLD 18) SIGCONT 19) SIGSTOP 20) SIGTSTP
21) SIGTTIN 22) SIGTTOU 23) SIGURG 24) SIGXCPU 25) SIGXFSZ
26) SIGVTALRM 27) SIGPROF 28) SIGWINCH 29) SIGIO 30) SIGPWR
31) SIGSYS 34) SIGRTMIN 35) SIGRTMIN+1 36) SIGRTMIN+2 37) SIGRTMIN+3
38) SIGRTMIN+4 39) SIGRTMIN+5 40) SIGRTMIN+6 41) SIGRTMIN+7 42) SIGRTMIN+8
43) SIGRTMIN+9 44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9 56) SIGRTMAX-8 57) SIGRTMAX-7
58) SIGRTMAX-6 59) SIGRTMAX-5 60) SIGRTMAX-4 61) SIGRTMAX-3 62) SIGRTMAX-2
63) SIGRTMAX-1 64) SIGRTMAX
For example Taking Java thread dumps
In jRE kill -3
option is used thread dump is sent to the standard error stream.
kill -3 <pid>
or
kill -QUIT <pid>
Make syslog reread its configuration file
pkill -HUP syslogd
or
kill -1 syslogd
The killall commands sends a signal to all processes running any of the specified commands. If no signal name is specified, SIGTERM is sent.
Next Reading : How to Monitoring All Executed Commands in Linux
Thanku for reading !!! Give a Share for Support
Instead of directly asking for donations, I'm thrilled to offer you all nine of my books for just $9 on leanpub By grabbing this bundle you not only help cover my coffee, beer, and Amazon bills but also play a crucial role in advancing and refining this project. Your contribution is indispensable, and I'm genuinely grateful for your involvement in this journey!
Any private key value that you enter or we generate is not stored on this site, this tool is provided via an HTTPS URL to ensure that private keys cannot be stolen, for extra security run this software on your network, no cloud dependency