Master Linux System Monitoring: Top, Free, vmstat, iostat, and More

top

Command description

The top command provides real‑time monitoring of system processes, allowing sorting by CPU, memory, and runtime.

Parameters

top -hv | -bcisSHM -d delay -n iterations [-u user | -U user] -p pid[,pid...]

-b : batch mode for piping output to other programs or files.

-c : display the command line of each task.

-d : set delay interval.

-h : help.

-H : show threads.

-i : display idle processes.

-n : number of iterations (usually used with -b).

-u / -U : monitor processes of a specific user.

-p : monitor specific PIDs (comma‑separated).

-s : safe mode.

-S : cumulative time mode.

-v : show version and exit.

-M : auto‑scale memory units (k/M/G).

Global commands (while top is running)

Enter/Space – refresh display.

? or h – help.

= – remove all display limits.

A – toggle alternate display mode.

B – toggle bold display.

d / s – change refresh interval.

G – select another window/field group.

I – toggle Irix/Solaris mode.

u / U – monitor specific user.

k – kill a process.

q – quit top.

r – renice a process.

W – save current settings.

Z – change color scheme.

free

Command description

The free command is the most common tool for monitoring memory usage on Linux.

Parameters

-m : display values in megabytes (default is kilobytes).

-b : display values in bytes.

-s seconds : repeat the display every specified interval.

Result fields

total : total physical memory.

used : memory currently used.

free : memory available.

shared : memory shared among processes.

buffers/cached : size of disk buffers and cache.

vmstat

Command description

vmstat

reports information about processes, memory, paging, block I/O, traps, and CPU activity.

Parameters

vmstat [-a] [-n] [-S unit] [delay [count]]

-a : show active and inactive memory.

-m : display slabinfo.

-n : show field names only once.

-s : display memory statistics and various system activity counts.

-d : show disk statistics.

-S unit : display using specified unit (k, K, m, M).

-V : version information.

-p : show statistics for a specific disk partition.

-D : display overall disk information.

delay : refresh interval (if omitted, only one report is shown).

count : number of reports (if omitted with delay, runs indefinitely).

Result fields

Key sections include Procs (r, b), Memory (swap, free, buff, cache), Io (bi, bo), System (in, cs), Cpu (us, sy, id, wa).

iostat

Command description

iostat

monitors disk I/O statistics and CPU usage.

Parameters

iostat [ -c | -d ] [ -k | -m ] [ -t ] [ -V ] [ -x ] [ device ... | ALL ] [ -p [ device | ALL ] ] [ interval [ count ] ]

-c : display only CPU statistics (mutually exclusive with -d).

-d : display only disk statistics.

-k : show values in kilobytes per second (default is blocks).

-p : display statistics for specified devices or all devices.

-t : include timestamp in output.

-V : version and help.

-x : extended device statistics.

interval : seconds between reports.

count : number of reports.

Key metrics

rrqm/s, wrqm/s – merged read/write requests per second.

r/s, w/s – completed read/write I/O requests per second.

rsec/s, wsec/s – sectors read/written per second.

rkB/s, wkB/s – kilobytes read/written per second.

avgrq‑sz – average request size.

avgqu‑sz – average queue length.

await – average wait time (ms).

svctm – average service time (ms).

%util – percentage of time the device was busy.

mpstat

Command description

mpstat

reports CPU statistics per processor, useful on multi‑core systems.

Parameters

mpstat [-P {ALL|cpu}] [interval [count]]

-P {ALL|cpu} : select which CPU(s) to monitor.

interval : seconds between samples.

count : number of samples (requires interval).

Without parameters, mpstat shows averages since system boot.

Result fields

user : CPU time spent in user mode.

nice : CPU time for low‑priority processes.

system : CPU time in kernel mode.

iowait : time waiting for I/O.

irq : time handling hardware interrupts.

soft : time handling software interrupts.

idle : idle time.

intr/s : interrupts per second.

sar

Command description

sar

collects, reports, and saves system activity information, covering CPU, memory, I/O, network, and more.

Parameters

sar [options] [-A] [-o file] interval [count]

-A : all reports.

-u : CPU utilization.

-v : process, inode, and file table statistics.

-p : per‑CPU usage.

-d : disk activity.

-r : memory usage.

-n : network statistics (options: DEV, EDEV, SOCK, FULL).

-q : run queue length.

-B : paging statistics.

-R : process activity.

-g : serial I/O.

-b : buffer usage.

-a : file read/write.

-c : system calls.

-W : swap activity.

Key sections

CPU: %user, %nice, %system, %iowait, %steal, %idle.

Memory: kbmemfree, kbmemused, %memused, kbbuffers, kbcached, kbcommit, %commit.

Paging: pgpgin/s, pgpgout/s, fault/s, majflt/s, pgfree/s, pgscank/s, pgscand/s, pgsteal/s, %vmeff.

IO: tps, rtps, wtps, bread/s, bwrtn/s.

Load: runq‑sz, plist‑sz, ldavg‑1, ldavg‑5, ldavg‑15.

Swap: pswpin/s, pswpout/s.

Device: -p shows device names; metrics include tps, rd_sec/s, wr_sec/s, avgrq‑sz, avgqu‑sz, await, svctm, %util.

netstat

Command description

netstat

displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

Common options

-a : show all sockets (listening and established).

-t : display TCP sockets.

-u : display UDP sockets.

-n : show numerical addresses instead of resolving names.

-l : show only listening sockets.

-p : show PID/program name owning the socket.

-r : display routing table.

-e : show extended information (e.g., UID).

-s : statistics per protocol.

-c : continuous display at intervals.

-v : verbose output.

-I : display interface information.

Result fields

Iface – interface name.

MTU – maximum transmission unit.

RX‑OK/TX‑OK – packets successfully received/transmitted.

RX‑ERR/TX‑ERR – packet errors.

RX‑DRP/TX‑DRP – dropped packets.

RX‑OVR/TX‑OVR – overruns.

Flags – interface flags (B, L, M, N, O, P, R, U).

Recv‑Q / Send‑Q – receive and send queues.

Local Address / Foreign Address – endpoints.

State – connection state (LISTEN, ESTABLISHED, TIME_WAIT, etc.).

uptime

Command description

uptime

reports how long the system has been running, how many users are logged in, and the load averages for the past 1, 5, and 15 minutes.

Result fields

Current time.

System up time.

Number of logged‑in users.

Load averages (1‑min, 5‑min, 15‑min).

Note: sustained load averages higher than the number of CPU cores indicate CPU saturation.

ps

Command description

ps

lists running processes and provides detailed information such as PID, user, CPU and memory usage, state, and command line.

Common options

-A / -e : show all processes.

-a : show processes attached to a terminal.

-x : show processes without a controlling terminal.

-u user : filter by user.

-f : full format listing.

-l : long format (includes F, wchan, etc.).

-j : job format.

-o format : custom output format.

-H : hierarchical (tree) view.

-h : omit header line.

Typical usage examples

ps a

: all processes on the current terminal. ps -A: all processes system‑wide. ps c: display only the command name. ps -ef | grep <em>name</em>: find a specific process. ps aux: detailed view used with grep for filtering.

Result fields

USER, UID – owner.

PID, PPID – process and parent IDs.

%CPU, %MEM – resource usage.

VSZ, RSS – virtual and resident memory size.

STAT – process state (R, S, D, Z, T, etc.).

START – start time.

TIME – cumulative CPU time.

COMMAND – command line.

watch

Command description

watch

repeatedly executes a program, showing its output and highlighting changes.

Key options

-d : highlight differences between updates.

-n seconds : set the interval between executions.

Example: watch -d -n 1 netstat -ant monitors network connections every second, highlighting changes.

strace

Command description

strace

traces system calls and signals of a process, showing arguments, return values, and timing.

Important options

-p pid : attach to a running process.

-f : follow child processes created by fork.

-F : follow vfork (disabled when -f is also used).

-o file : write output to a file.

-ff : separate output per traced process (used with -o).

-r : show relative timestamps.

-t / -tt / -ttt : prepend timestamps (seconds, microseconds, or relative).

-v : verbose, show all system calls.

-s size : max string length to print (default 32).

-c : summary statistics per system call.

-e expr : filter output by expression.

-d : debug output to stderr.

-i : show syscall entry pointers.

-q : suppress detach messages.

-T : show time spent in each call.

-V : version.

-x / -xx : print non‑printable strings in hex.

Example: strace -ff -F -o ls.log ls -l traces the execution of ls -l and saves per‑process logs.

lsof

Command description

lsof

lists open files and the processes that opened them; on Linux, everything is a file.

Key options

-a : list processes with open files.

-c name : list files opened by processes matching name .

-g : list by GID.

-d fd : list processes using a specific file descriptor.

+d dir : list files opened under a directory.

+D dir : recursive version of +d.

-n : show NFS files.

-i cond : filter by network criteria.

-p pid : list files opened by a specific PID.

-u user : list files opened by a user.

-U : list UNIX domain sockets.

-h : help.

-v : version.

Example: listing all socket files owned by root.

Result columns include COMMAND, PID, USER, FD, TYPE, DEVICE, SIZE, NODE, and NAME.