Master Linux System Monitoring: Top, Free, Vmstat, Iostat, Mpstat, Sar, Netstat, Uptime, Ps, Watch, Strace & Lsof

Top

Command description

Provides real‑time monitoring of system activity. The display can be sorted by CPU usage, memory consumption, or execution time.

Parameters

Usage:

top -hv | -bcisSHM -d delay -n iterations [-u user | -U user] -p pid[,pid...]

-b

– Batch mode, suitable for piping output to other programs or saving to a file. -c – Show the full command line for each process. -d – Set the delay between screen updates (seconds). -h – Display help. -H – Show threads for each process. -i – Include idle processes. -n – Number of iterations (often used with -b). -u / -U – Monitor processes belonging to a specific user. -p – Monitor specific process IDs (comma‑separated). -s – Secure mode operation. -S – Cumulative time mode. -v – Show version and exit. -M – Auto‑scale memory units (k/M/G).

Result explanation

The screen updates continuously, showing columns such as PID, USER, PR, NI, VIRT, RES, SHR, S, %CPU, %MEM, TIME+, and COMMAND. Global interactive commands (active when no process is selected) include:

Enter/Space – Refresh display.

? or h – Help.

= – Remove all display limits.

A – Toggle alternate display mode.

B – Toggle bold display.

d / s – Change refresh interval.

G – Switch to another window/group.

I – Toggle Irix/Solaris mode.

u / U – Monitor a specific user.

k – Kill a process.

q – Quit top.

r – Renice a process.

W – Save current settings.

Z – Change color scheme.

Free

Command description

Displays memory usage statistics; it is the most common tool for quick memory inspection.

Parameters

-m

– Show memory usage in megabytes (default is kilobytes). -b – Show memory usage in bytes. -s – Continuously display memory statistics at a specified interval without clearing the screen.

Result explanation

Key columns:

total – Total physical memory.

used – Amount of memory currently used.

free – Memory available for new allocations.

shared – Memory shared between processes.

buffers/cache – Size of kernel buffers and page cache.

Vmstat

Command description

Reports virtual memory, processes, CPU, and I/O statistics.

Parameters

vmstat [-a] [-n] [-S unit] [delay [count]]

-a

– Show active and inactive memory. -m – Show slabinfo. -n – Print field names only once at start. -s – Show memory‑related statistics and various system activity counts. -d – Show disk‑related statistics. -S unit – Use the specified unit (k, K, m, M). -V – Show version and help. -p device – Show statistics for a specific device. delay – Refresh interval in seconds (if omitted, a single snapshot is printed). count – Number of refreshes; if omitted with a delay, the command runs indefinitely.

Result explanation

Typical fields:

procs – r (runnable processes) and b (blocked processes).

memory – swpd (swap used), free, buff, cache.

swap – si (swap‑in) and so (swap‑out).

io – bi (blocks in) and bo (blocks out).

system – in (interrupts per second) and cs (context switches per second).

cpu – us (user), sy (system), id (idle), wa (I/O wait), st (steal).

Iostat

Command description

Monitors disk I/O statistics and also provides CPU usage information.

Parameters

iostat [ -c | -d ] [ -k | -m ] [ -t ] [ -V ] [ -x ] [ device [...] | ALL ] [ -p [ device | ALL ] ] [ interval [ count ] ]

-c

– Show only CPU statistics (mutually exclusive with -d). -d – Show only disk statistics (mutually exclusive with -c). -k – Display per‑second values in kilobytes (default is blocks). -m – Display per‑second values in megabytes. -p device|ALL – Show statistics for a specific device or all devices (mutually exclusive with -x). -t – Print a timestamp with each report. -V – Show version and help. -x – Show extended statistics for the specified device. interval – Time between reports (seconds). count – Number of reports to generate.

Result explanation

Key disk fields (per device):

rrqm/s – Merged read requests per second.

wrqm/s – Merged write requests per second.

r/s – Read requests per second.

w/s – Write requests per second.

rsec/s – Sectors read per second.

wsec/s – Sectors written per second.

rkB/s – Kilobytes read per second (half of rsec/s because a sector is 512 bytes).

wkB/s – Kilobytes written per second.

avgrq‑sz – Average request size (sectors).

avgqu‑sz – Average queue length.

await – Average wait time (ms) per I/O request.

svctm – Average service time (ms) per I/O request.

%util – Percentage of time the device was busy.

Key CPU fields (when -c is used):

%usr – User‑level CPU time.

%nice – Low‑priority user CPU time.

%system – Kernel CPU time.

%iowait – I/O wait time.

%steal – Time stolen by a hypervisor.

%idle – Idle time.

Mpstat

Command description

Reports CPU statistics; on multi‑core systems it can show per‑CPU as well as average values.

Parameters

mpstat [-P {|ALL}] [interval [count]]

-P {|ALL}

– Specify which CPU(s) to monitor (0‑N‑1 or ALL). interval – Seconds between samples. count – Number of samples (used with interval).

Result explanation

Typical columns:

CPU – Identifier (specific core or all).

%user – Time spent in user mode.

%nice – Time spent in user mode with low priority.

%system – Time spent in kernel mode.

%iowait – Time waiting for I/O.

%steal – Time stolen by a hypervisor.

%idle – Idle time.

Interpretation tips:

High %iowait suggests a possible disk I/O bottleneck.

Very low %idle with high load indicates CPU saturation.

Sar

Command description

Collects and reports a wide range of system performance metrics, including CPU, memory, I/O, network, and kernel activity.

Parameters

sar [options] [-A] [-o file] interval [count]

-A

– All reports. -u – CPU utilization. -r – Memory usage. -b – Disk I/O (blocks per second, transfers per second). -d – Detailed disk statistics. -n – Network statistics (DEV, EDEV, SOCK, FULL). -q – Run‑queue size and load average. -B – Memory paging. -W – Swap activity. -o file – Write binary output to file for later analysis. interval – Sampling interval in seconds (required). count – Number of samples (optional, default 1).

Result explanation

CPU fields (from sar -u) %user – User‑level CPU time. %nice – Low‑priority user CPU time. %system – Kernel CPU time. %iowait – Time waiting for I/O. %steal – Time the hypervisor spent servicing other VMs. %idle – Idle CPU time.

Memory fields (from sar -r) kbmemfree – Free memory (matches free output). kbmemused – Used memory including buffers/cache. %memused – Percentage of used memory. kbbuff / kbcached – Buffer and cache sizes. kbcommit – Memory required to avoid swapping (RAM + swap). %commit – Commit as a percentage of total RAM + swap.

Paging fields (from sar -B) pgpgin/s – Pages paged in per second (KB). pgpgout/s – Pages paged out per second (KB). fault/s – Page faults per second (major + minor). majflt/s – Major page faults per second. pgfree/s – Pages freed per second. pgscank/s – Pages scanned by kswapd per second. pgscand/s – Pages scanned directly per second. pgsteal/s – Pages reclaimed from cache per second. %vmeff – Efficiency: pgsteal / ( pgscank + pgscand) × 100%.

I/O fields (from sar -b) tps – Transfers per second. rtps – Read transfers per second. wtps – Write transfers per second. bread/s – Blocks read per second. bwrtn/s – Blocks written per second.

Run‑queue and load (from sar -q) runq‑sz – Number of processes waiting for CPU. plist‑sz – Total number of processes and threads. ldavg‑1, ldavg‑5, ldavg‑15 – Load averages for the last 1, 5, 15 minutes.

Swap activity (from sar -W) pswpin/s – Pages swapped in per second. pswpout/s – Pages swapped out per second.

Netstat

Command description

Displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

Parameters

-a

– Show all sockets (listening and non‑listening). -t – Show TCP sockets. -u – Show UDP sockets. -n – Show numerical addresses (no name resolution). -l – Show only listening sockets. -p – Show the PID/Program name owning the socket. -r – Display the routing table. -e – Show extended information (e.g., UID). -s – Show protocol statistics. -c – Continuously display information (like watch). -v – Verbose output (similar to -n). -I – Show interface information.

Result explanation

Interface columns:

Iface – Interface name.

MTU – Maximum Transmission Unit (bytes).

RX‑OK / TX‑OK – Packets successfully received/sent.

RX‑ERR / TX‑ERR – Receive/transmit errors.

RX‑DRP / TX‑DRP – Dropped packets.

RX‑OVR / TX‑OVR – Overrun errors.

Flg – Interface flags (B broadcast, L loopback, M multicast, N no‑arp, O no‑arp, P point‑to‑point, R running, U up).

Connection table columns:

Recv‑Q / Send‑Q – Receive and send queues.

Local Address – Local IP and port.

Foreign Address – Remote IP and port.

State – Connection state (LISTEN, ESTABLISHED, TIME_WAIT, etc.).

Uptime

Command description

Reports how long the system has been running, the number of logged‑in users, and the load averages for the past 1, 5, and 15 minutes.

Parameters

-V

– Show version.

Result explanation

14:23:01 up 3 days,  4:12,  2 users,  load average: 0.15, 0.10, 0.08

The three load‑average numbers represent the average number of processes in the run queue over the last 1, 5, and 15 minutes. Values consistently higher than the number of CPU cores indicate a CPU‑bound system.

Ps

Command description

Lists currently running processes and provides detailed information about each process.

Parameters

-A

/ -e – Show all processes. -a – Show processes associated with a terminal, excluding session leaders. -d – Show all processes, omitting session leaders. -x – Show processes without a controlling terminal. -f – Full‑format listing (often combined with other options). -l – Long format (includes flags, wchan, etc.). -j – Job format. -o format – User‑defined output format. -u user – Show processes for a specific user. -p pid – Show a specific process ID. -H – Show process hierarchy. -h – Omit header line.

Common usages

ps a

– Show all processes for the current terminal. ps -A – Show all processes. ps c – Show command names without path or arguments. ps -e – Same as -A. ps e – Show environment variables. ps f – Display a tree of processes. ps -H – Show hierarchical view. ps -aux | grep <em>process_name</em> – Filter for a specific process.

Result explanation

Important columns:

USER – Owner of the process.

PID – Process ID.

PPID – Parent process ID.

SID – Session ID.

%CPU – CPU usage percentage.

%MEM – Memory usage percentage.

VSZ – Virtual memory size (KB).

RSS – Resident set size (actual memory, KB).

TTY – Controlling terminal.

STAT – Process state (R running, S sleeping, D uninterruptible, Z zombie, T stopped, etc.).

START – Start time/date.

TIME – Cumulative CPU time.

COMMAND – Executed command line.

Watch

Command description

Runs a program periodically, showing its output and highlighting changes between iterations.

Parameters

-d

– Highlight differences between successive updates. -n seconds – Set the interval between executions.

Result explanation

Example: monitor network connections every second.

watch -d -n 1 netstat -ant

The display refreshes each second, with changed lines highlighted.

Strace

Command description

Traces system calls and signals for a given process, showing arguments, return values, and timing information.

Parameters

-p pid

– Attach to an existing process. -f – Follow child processes created by fork. -F – Follow vfork (ignored if -f is also used). -o file – Write output to file instead of stdout. -ff – Separate output per traced process (used with -o). -r – Show relative time for each call. -t / -tt / -ttt – Prefix each line with timestamp (seconds, microseconds, or relative). -v – Verbose – show all system calls. -s size – Max string length to print (default 32). -c – Summarize call counts, errors, and time. -e expr – Filter output by expression. -d – Debug output to stderr. -i – Show system‑call entry points. -q – Suppress detach messages. -T – Show time spent in each call. -V – Show version. -x / -xx – Print non‑printable strings in hexadecimal.

Result explanation

Example tracing the ls -l command:

strace -ff -F -o ls.log ls -l

If a system call fails, the return value is typically -1 and the error is shown after the call.

Lsof

Command description

Lists open files and the processes that opened them; in Unix everything is a file.

Parameters

-a

– List processes that have open files. -c process_name – Show files opened by processes matching the name. -g – Show details for a specific GID. -d fd – List processes using a particular file descriptor. +d directory – List files opened under a directory. +D directory – Recursively list files opened under a directory. -n – Show files on NFS mounts. -i criteria – List processes matching network criteria. -p pid – Show files opened by a specific process ID. -u user – Show files opened by a specific user. -U – Show only UNIX domain sockets. -h – Help. -v – Version.

Result explanation

Typical columns:

COMMAND – Process name.

PID – Process ID.

USER – Owner of the process.

FD – File descriptor (e.g., cwd, txt, mem, etc.).

TYPE – File type (DIR, REG, etc.).

DEVICE – Device identifier.

SIZE – Size of the file.

NODE – Inode number.

NAME – Full pathname of the opened file.

Summary of key metrics

When using these tools, keep the following interpretation guidelines in mind:

CPU load averages higher than the number of CPU cores suggest CPU saturation.

High %iowait (from top, mpstat, sar) indicates possible disk I/O bottlenecks.

In iostat, a %util close to 100 % means the device is fully utilized.

Memory pressure can be identified by low free (or kbmemfree) and high %memused values.

Swap activity ( pswpin/s, pswpout/s) rising sharply signals insufficient RAM.

Network errors or high drop counters in netstat output point to network quality issues.