Essential Linux Performance Monitoring Tools Every Sysadmin Should Know

CPU and Memory Monitoring

The top command provides a real‑time view of system load, task states, and CPU usage breakdown. The first three numbers on the first line show the 1‑, 5‑, and 15‑minute load averages; values exceeding the number of CPU cores indicate saturation. The second line lists task counts (running, sleeping, stopped, zombie). Subsequent lines detail CPU time spent in user ( us), system ( sy), nice ( ni), idle ( id), iowait ( wa), hardware interrupt ( hi), software interrupt ( si), and steal time ( st)—each hinting at different performance issues such as CPU‑bound processes, heavy I/O, or virtualization overhead.

Memory statistics appear on the fourth and fifth lines, showing total, used, free, buffers, cache, and available memory. Buffers cache raw disk metadata, while Cached stores file data. Avail Mem approximates memory that can be allocated without swapping. High swap activity signals memory pressure.

Disk I/O Monitoring

The iostat -xz 1 utility reports per‑device I/O metrics. Key fields include avgqu‑s (average queue length; >1 suggests saturation), await (average request latency), svctm (service time), and %util (percentage of time the device is busy; >60 % degrades performance). These values help determine whether a disk is a bottleneck.

For per‑CPU load balance, mpstat -P ALL 1 shows each core’s utilization, revealing uneven distribution that may require tuning.

Network Monitoring

Network health can be inspected with several tools. netstat -s displays cumulative protocol statistics, while netstat -antp lists active TCP connections. The sar -n TCP,ETCP 1 command provides per‑second counters such as active/s , passive/s , retrans/s , and isegerr/s , useful for spotting connection storms or packet loss.

The tcpdump utility captures raw packets for offline analysis with Wireshark. Using filters (e.g., tcpdump -i eth0 port 80 -w capture.pcap) limits data volume and reduces impact on the monitored system.

Additional Utilities

vmstat

offers a compact view of processes, memory, paging, block I/O, and CPU activity. Fields such as r (runnable processes) and b (blocked) help assess load. pidstat provides per‑process statistics; options like -t (thread view), -r (memory faults), -s (stack usage), -u (CPU), and -w (context switches) give deep insight. Example: pidstat -w -t -C "ailaw" -l filters by command name.

For disk activity per process, iotop shows real‑time I/O rates, and lsof reveals which files or devices a process has opened, useful when a filesystem cannot be unmounted.

Combining these tools enables systematic diagnosis of performance issues across CPU, memory, storage, and network layers on Linux servers.