Linux Server Monitoring: CPU, Memory, Disk I/O, and Network Tools Overview

Monitoring a Linux server’s runtime parameters is crucial for operations staff and developers alike, as these metrics help quickly locate and diagnose abnormal program behavior.

1. CPU and Memory

1.1 top

top

The first line shows the 1‑, 5‑, and 15‑minute load averages; values exceeding the number of CPU cores indicate saturation. The second line lists task states (running, sleeping, stopped, zombie). Subsequent lines break down CPU usage into user (us), system (sy), nice (ni), idle (id), iowait (wa), irq (hi), softirq (si), and steal (st), each with specific meanings for performance analysis.

High user% often points to a single process consuming CPU, which can be identified with top and further investigated using perf. Elevated system% may signal heavy I/O or kernel issues. High nice% usually reflects intentional priority lowering. High iowait% indicates slow I/O or bottlenecked devices. Excessive irq/softirq% suggests hardware interrupt problems, while high steal% can reveal over‑committed virtual CPUs.

The fourth and fifth lines display physical and virtual memory statistics, distinguishing Buffers (raw disk metadata) from Cached (file data). The newer avail Mem approximates free memory without swapping. Frequent swap in/out signals memory pressure.

1.2 vmstat

vmstat

provides a compact view of processes, memory, paging, block I/O, and CPU activity. Fields such as r (runnable processes) and b (uninterruptible sleep) help gauge load, while swpd, buff, and cache mirror memory usage. Disk I/O is shown via bi / bo (blocks in/out) and in / cs (interrupts/context switches).

1.3 pidstat

pidstat

offers per‑process statistics. The -t flag expands output to thread‑level details. Useful columns include -r (minor and major page faults), -s (stack usage), -u (CPU usage), and -w (context switches). Filtering by command name can be done with -C "pattern" -l, e.g., pidstat -w -t -C "ailaw" -l.

1.4 Other Tools

For per‑CPU load balance, mpstat -P ALL 1 shows each core’s utilization. htop provides an interactive, colorized view, while ps axjf displays a detailed process tree.

2. Disk I/O

2.1 iostat

iostat -xz 1

(or sar -d 1) reports key disk metrics: avgqu-sz (average queue length), await / r_await / w_await (average I/O wait time), svctm (service time), and %util (device utilization). Values above thresholds (e.g., %util > 60 %) indicate potential bottlenecks.

3. Network

3.1 netstat

netstat -s

summarizes protocol statistics since boot. For live connection info, use options such as -antp (all TCP connections) and -nltp (listening TCP sockets).

3.2 sar

The sar utility can monitor network activity; sar -n TCP,ETCP 1 shows TCP metrics like active/s (outgoing connections), passive/s (incoming connections), retrans/s (retransmissions), and isegerr/s (receive errors). sar -n UDP 1 reports UDP statistics such as noport/s (datagrams without a listening port) and idgmerr/s (undeliverable datagrams).

3.3 tcpdump

tcpdump

captures raw packets for offline analysis with Wireshark. It supports extensive filtering (interface, host, port, protocol) and can limit file size with -C / -W. Captured packets include timestamps, enabling precise reconstruction of connection sequences.