Master Linux Process Monitoring: ps, dstat, top & htop Explained

Four Famous Detectives as Linux Commands

The classic "Four Famous Detectives" from Wén Ruïán's novels are re‑imagined as Linux utilities: Wuqing represents ps, TieShou stands for dstat, ZhuiMing embodies top, and LengXue corresponds to htop. Each tool showcases a distinct skill for observing processes.

Process‑Related Basics

Before diving into the tools, a brief overview of Linux processes is provided, illustrated by the following diagram.

ps – Lightweight Process Snapshot

ps

displays the current state of processes (static snapshot). It supports three option styles:

UNIX style – options prefixed with a single - (e.g., -e).

BSD style – options without any prefix (e.g., aux).

GNU style – options prefixed with double dashes (e.g., --format).

Commonly used option groups:

aux : a (all processes with a terminal), x (processes without a terminal), u (user‑oriented output).

-ef : -e (show every process) and -f (full‑format listing).

-eFH : adds -F (extra fields), C (CPU utilization), PSR (CPU core), and -H (hierarchical view).

-eo, axo : custom field list after -o (e.g., pid,ni,priority,psr,pcpu,stat,comm,tty,ppid,rtprio).

Key fields explained: PID: Process ID. NI: Nice value. PRIORITY: Scheduling priority. PSR: CPU core the process runs on. CPU%: CPU usage percentage. STAT: Process state (R, S, D, T, Z, etc.).

ps aux

dstat – Dynamic System Resource Statistics

dstat

provides real‑time statistics of system resources. Its general syntax is: dstat [-afv] [options] [delay [count]] Frequently used options include: -c, --cpu: CPU statistics. -d, --disk: Disk I/O. -g: Page‑related rates. -m: Memory statistics. -n: Network interface statistics. -p: Process‑related statistics. -r: I/O request statistics. -s: Swap statistics. --tcp, --udp, --raw, --socket, --ipc: Specific socket or IPC information. --top-cpu, --top-io, --top-mem: Show processes that consume the most CPU, I/O, or memory.

top – Interactive Process Viewer

top

displays a continuously updated list of processes. A typical header looks like:

top – 14:58:34 up 5:28, 1 user, load average: 0.01, 0.02, 0.05

Key sections:

Tasks : total, running, sleeping, stopped, zombie counts.

%Cpu(s) : user, system, nice, idle, iowait, hardware interrupt, software interrupt, stolen time percentages.

KiB Mem : total, free, used, buff/cache.

KiB Swap : total, free, used, available.

Important columns in the process list include PID, USER, PR, NI, VIRT, RES, SHR, S, %CPU, %MEM, TIME+, and COMMAND.

Sorting shortcuts: P: sort by CPU usage. M: sort by memory usage. T: sort by cumulative CPU time.

Interactive commands: l: show open files of a selected process. t: toggle tree view. m: toggle memory display mode. q: quit. s: change refresh interval (e.g., -d #). k: kill a selected process.

htop – Enhanced Interactive Process Viewer

htop

is a more feature‑rich, color‑aware alternative to top. It supports function‑key help (F1) and a range of options: -d #: set delay between screen updates. -u USER: display only processes owned by USER. -s COLUMN: sort by a specific column.

Common sub‑commands accessed via single keys: l: list open files of the selected process. s: trace system calls of the selected process. t: show processes in a tree hierarchy. a: bind a process to a specific CPU core.

Together, these four tools provide a comprehensive toolbox for Linux system administrators and developers to monitor, diagnose, and optimize process‑level performance.