Hi there! I'm Shrijith Venkatrama, founder of Hexmos. Right now, I’m building LiveAPI, a first of its kind tool for helping you automatically index API endpoints across all your repositories. LiveAPI helps you discover, understand and use APIs in large tech infrastructures with ease.
Linux processes are the heartbeat of any system, and understanding them is key to debugging, optimizing, and securing your environment. Whether you're a sysadmin, developer, or just curious, knowing how to inspect processes with advanced tools can save you hours of frustration. This article dives into practical, powerful techniques to monitor and analyze processes using tools beyond the basics like ps or top. We'll explore command-line utilities, their options, and real-world examples with complete, runnable code snippets.
Why Process Inspection Matters
Processes are the running instances of programs, consuming CPU, memory, and I/O. Inspecting them helps you:
- Identify resource hogs causing slowdowns.
- Debug crashes or unexpected behavior.
- Monitor system health for security or performance.
- Optimize applications by understanding their runtime behavior.
We'll focus on tools that give you deep insights, with examples you can run yourself. Let’s get started.
1. htop: A Better Way to Visualize Processes
htop is an interactive, colorful alternative to top. It’s user-friendly but packed with advanced features like sorting, filtering, and killing processes directly.
- Key features: Tree view, customizable columns, process filtering.
-
Install it:
sudo apt install htop(Debian/Ubuntu) orsudo dnf install htop(Fedora).
Run htop and use arrow keys to navigate. Press F5 for a tree view to see parent-child relationships. To filter processes (e.g., find all python processes), press F4 and type python.
Example: Sorting by Memory Usage
- Run
htop. - Press
F6to open the sort menu, selectMEM%. - Press
F9to send a signal (like SIGTERM) to a process.
Here’s a table of useful htop shortcuts:
| Key | Action |
|---|---|
| F3 | Search for a process |
| F4 | Filter processes |
| F5 | Toggle tree view |
| F6 | Sort by column |
| F9 | Send signal to process |
Link: htop GitHub for more details.
2. strace: Tracing System Calls
strace tracks system calls made by a process, perfect for debugging why a program fails or hangs. It shows every interaction with the kernel, like file access or network requests.
-
Install it:
sudo apt install straceorsudo dnf install strace.
Example: Tracing a Simple Command
Create a script to trace:
#!/bin/bash
# File: trace_ls.sh
# Run: chmod +x trace_ls.sh && ./trace_ls.sh
# Output: System calls for 'ls' written to ls_trace.txt
strace -o ls_trace.txt ls -l
echo "Trace written to ls_trace.txt"
head -n 5 ls_trace.txt
Sample output in ls_trace.txt:
execve("/bin/ls", ["ls", "-l"], 0x7ffeb6b0d0e0 /* 50 vars */) = 0
brk(NULL) = 0x55e7c6b1e000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\262\0\0\0\0\0\0"..., 832) = 832
This shows ls starting, checking for libraries, and opening files. Use strace -c for a summary of calls:
#!/bin/bash
# File: summary_trace.sh
# Run: chmod +x summary_trace.sh && ./summary_trace.sh
# Output: Summary of system calls for 'ls'
strace -c ls -l
Tip: Use -p <pid> to attach to a running process, e.g., strace -p 1234.
3. lsof: Mapping Files to Processes
lsof lists open files associated with a process, including sockets, pipes, and regular files. It’s great for finding what a process is reading or writing.
-
Install it:
sudo apt install lsoforsudo dnf install lsof.
Example: Find Files Opened by a Process
Find the PID of a running process (e.g., nginx):
#!/bin/bash
# File: lsof_nginx.sh
# Run: chmod +x lsof_nginx.sh && ./lsof_nginx.sh
# Output: List of files opened by nginx
NGINX_PID=$(pgrep nginx | head -n 1)
if [ -z "$NGINX_PID" ]; then
echo "nginx not running"
exit 1
fi
lsof -p $NGINX_PID
Sample output:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 12345 www-data cwd DIR 8,1 4096 123456 /var/www
nginx 12345 www-data 0r FIFO 0,12 0t0 789012 pipe
nginx 12345 www-data 3u IPv4 123456 0t0 TCP *:http (LISTEN)
Table: Common lsof Options
| Option | Description |
|---|---|
-p <pid> |
List files for specific PID |
-i |
Show network files (sockets) |
-u <user> |
List files opened by a user |
Link: lsof man page.
4. perf: Profiling Performance
perf is a powerful tool for profiling CPU usage, cache misses, and other performance metrics. It’s ideal for optimizing applications or finding bottlenecks.
-
Install it:
sudo apt install linux-tools-common linux-tools-$(uname -r).
Example: Profiling a Command
Profile CPU usage of a command:
#!/bin/bash
# File: perf_stat.sh
# Run: chmod +x perf_stat.sh && ./perf_stat.sh
# Output: Performance stats for 'ls -R /etc'
perf stat ls -R /etc
Sample output:
Performance counter stats for 'ls -R /etc':
12.34 msec task-clock # 0.998 CPUs utilized
123 context-switches # 0.010 M/sec
4 cpu-migrations # 0.324 K/sec
567 page-faults # 0.046 M/sec
34,567,890 cycles # 2.800 GHz
45,678,901 instructions # 1.32 insn per cycle
Use perf record and perf report for detailed call graphs:
#!/bin/bash
# File: perf_record.sh
# Run: chmod +x perf_record.sh && ./perf_record.sh
# Output: Performance data in perf.data, view with 'perf report'
perf record ls -R /etc
perf report
Tip: Requires root for some features; use sudo.
5. pidstat: Detailed Process Statistics
pidstat (part of sysstat) gives per-process CPU, memory, and I/O stats over time. It’s great for monitoring resource usage dynamically.
-
Install it:
sudo apt install sysstatorsudo dnf install sysstat.
Example: Monitoring a Process
Monitor a process (e.g., python3):
#!/bin/bash
# File: pidstat_python.sh
# Run: chmod +x pidstat_python.sh && ./pidstat_python.sh
# Output: Stats for python3 processes every 2 seconds, 5 times
pidstat -u -p $(pgrep python3) 2 5
Sample output:
Linux 5.15.0-73-generic (hostname) 06/21/2025 _x86_64_ (8 CPU)
10:24:01 PM UID PID %usr %system %guest %wait %CPU CPU Command
10:24:03 PM 1000 1234 1.00 0.50 0.00 0.00 1.50 2 python3
10:24:05 PM 1000 1234 0.80 0.40 0.00 0.00 1.20 2 python3
Table: pidstat Options
| Option | Description |
|---|---|
-u |
CPU usage |
-r |
Memory usage |
-d |
I/O statistics |
-p |
Specific PID |
6. bpftrace: Programmable Tracing
bpftrace uses eBPF to trace system and application behavior with custom scripts. It’s advanced but flexible for deep insights.
-
Install it:
sudo apt install bpftraceorsudo dnf install bpftrace.
Example: Tracing File Opens
Track which processes open files:
#!/bin/bash
# File: bpftrace_files.sh
# Run: chmod +x bpftrace_files.sh && sudo ./bpftrace_files.sh
# Output: Processes opening files with filenames
bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s opened %s\n", comm, str(args->filename)); }'
Sample output:
bash opened /etc/passwd
firefox opened /home/user/.cache/fontconfig/12345
Tip: Requires root and kernel >= 4.9.
Link: bpftrace GitHub.
7. procfs: Raw Process Data
The /proc filesystem exposes raw process data like memory maps, file descriptors, and environment variables. It’s low-level but invaluable.
Example: Inspecting a Process’s Memory
Check memory usage for a process:
#!/bin/bash
# File: proc_memory.sh
# Run: chmod +x proc_memory.sh && ./proc_memory.sh
# Output: Memory maps for a python3 process
PYTHON_PID=$(pgrep python3 | head -n 1)
if [ -z "$PYTHON_PID" ]; then
echo "No python3 process found"
exit 1
fi
cat /proc/$PYTHON_PID/maps
Sample output:
7f8e3a2b9000-7f8e3a2ba000 r--p 00000000 08:01 123456 /usr/lib/libpython3.10.so
7f8e3a2ba000-7f8e3a2bc000 r-xp 00001000 08:01 123456 /usr/lib/libpython3.10.so
Table: Useful /proc Files
| File | Description |
|---|---|
/proc/<pid>/stat |
Process status |
/proc/<pid>/maps |
Memory mappings |
/proc/<pid>/fd/ |
Open file descriptors |
Moving Forward with Process Inspection
These tools—htop, strace, lsof, perf, pidstat, bpftrace, and /proc—offer a range of ways to inspect Linux processes. Start with htop for quick overviews, then dive into strace or bpftrace for debugging. Use perf and pidstat for performance tuning, and /proc for raw data. Experiment with the examples provided, and combine tools for deeper insights. For example, use lsof to find open files, then strace to see how they’re accessed. Keep these scripts handy in your toolbox, and you’ll be ready to tackle any process-related challenge.
Top comments (0)