Master Linux System Monitoring: top, free, vmstat, iostat, netstat and More

top

The top utility provides a real‑time view of system processes, CPU usage, memory consumption and load average. It can sort by CPU, memory or runtime and supports batch mode for scripting.

Common options

Usage:

top -hv | -bcisSHM -d delay -n iterations [-u user | -U user] -p pid[,pid...]

-b

– batch mode (suitable for piping or saving output) -c – display full command line of each task -d seconds – set delay between updates -h – help -H – show threads -i – include idle processes -n count – number of iterations (usually with -b) -u / -U – monitor processes of a specific user -p pid[,pid...] – monitor specific PIDs -s – safe mode -S – cumulative CPU time -v – version -M – auto‑scale memory units (k/M/G)

Interactive commands (while running)

Space/Enter – refresh display ? or h – help = – remove display limits A – toggle alternate display mode B – toggle bold display d / s – change refresh interval G – select another window/field group I – toggle Irix/Solaris mode u / U – monitor specific user k – kill a process q – quit r – renice a process W – write current settings to

.toprc

Z

– change color scheme

free

The free command reports memory usage.

Options

-m

– display values in megabytes (default is kilobytes) -b – display values in bytes -s seconds – continuously monitor memory at the given interval

Key fields

total – total physical memory

used – memory currently used

free – memory currently free

shared – memory shared between processes

buffers/cache – size of disk cache

vmstat

vmstat

reports process, memory, swap, I/O, system and CPU statistics.

Syntax

vmstat [-a] [-n] [-S unit] [delay [count]]

Important options

-a

– show active and inactive memory -m – display slabinfo -n – print header only once -s – show memory‑related statistics and system activity counts -d – show disk statistics -S unit – specify unit (k, K, m, M) -V – version -p partition – statistics for a specific partition -D – overall disk information

Typical output fields

procs : R (running/ready), B (blocked)

memory : swap, free, buff, cache

io : bi, bo (blocks in/out)

system : in (interrupts/sec), cs (context switches/sec)

cpu : us (user), sy (system), id (idle), wa (iowait)

iostat

iostat

monitors disk I/O statistics and CPU usage.

Syntax

iostat [ -c | -d ] [ -k | -m ] [ -t ] [ -V ] [ -x ] [ device ... | ALL ] [ -p [ device | ALL ] ] [ interval [ count ] ]

Key options

-c

– show only CPU statistics (mutually exclusive with -d) -d – show only disk statistics -k – display values per second in kilobytes (default unit is blocks) -p device|ALL – show statistics for a specific device or all devices -t – print timestamp with each report -V – version/help -x – extended device statistics interval – seconds between reports count – number of reports

Important metrics

rrqm/s

, wrqm/s – merged read/write requests per second r/s, w/s – reads/writes per second rsec/s, wsec/s – sectors read/written per second rkB/s, wkB/s – kilobytes read/written per second avgrq‑sz – average request size avgqu‑sz – average queue length await – average wait time (ms) svctm – average service time (ms) %util – percentage of time I/O was active

mpstat

mpstat

reports per‑processor CPU statistics, useful on multi‑core systems.

Syntax

mpstat [-P {cpu|ALL}] [interval [count]]

Options

-P {cpu|ALL}

– select a specific CPU or all CPUs interval – seconds between samples count – number of samples (requires interval)

Output fields

user

– % CPU time in user space nice – % CPU time for low‑priority processes system – % CPU time in kernel iowait – % CPU time waiting for I/O irq – % CPU time handling hardware interrupts soft – % CPU time handling software interrupts idle – % CPU idle intr/s – interrupts per second

sar

sar

collects and reports a wide range of system performance metrics.

Common usage

sar [options] [-A] [-o file] interval [count]

Frequently used options

-A

– all reports -u – CPU utilization -r – memory usage -d – disk I/O -n – network statistics (sub‑options: DEV, EDEV, SOCK, FULL) -q – run queue length / load average -B – paging statistics -W – swap activity

Key sections and interpretation

CPU : %user, %nice, %system, %iowait, %steal, %idle – high %iowait indicates I/O bottleneck; low %idle with slow response may point to memory pressure.

Memory & swap : kbmemfree, kbmemused, %memused, kbbuffers, kbcached, kbcommit, %commit – compare with free output for consistency.

Paging : pgpgin/s, pgpgout/s, fault/s, majflt/s, pgfree/s, pgscank/s, pgscand/s, pgsteal/s, %vmeff – monitor page reclaim efficiency.

Disk I/O : tps, rtps, wtps, bread/s, bwrtn/s, avgrq‑sz, avgqu‑sz, await, svctm, %util – high %util or long await signals saturation.

Network : iface, RX‑OK/TX‑OK, RX‑ERR/TX‑ERR, RX‑DRP/TX‑DRP, RX‑OVR/TX‑OVR – non‑zero error or drop counters indicate problems.

Load average : ldavg‑1, ldavg‑5, ldavg‑15 – values consistently above CPU count suggest overload.

netstat

netstat

displays network connections, routing tables, interface statistics and protocol counters.

Common options

-a

– show all sockets (listening and non‑listening) -t – TCP only -u – UDP only -n – numeric addresses -l – listening sockets only -p – show PID/program name -r – routing table -e – extended info (e.g., UID) -s – protocol statistics -c – continuous display at intervals -v – verbose

Key output fields

Iface – interface name

MTU – maximum transmission unit

RX‑OK/TX‑OK – packets received/sent successfully

RX‑ERR/TX‑ERR – packet errors

RX‑DRP/TX‑DRP – dropped packets

RX‑OVR/TX‑OVR – overruns

State – LISTEN, ESTABLISHED, TIME_WAIT, etc.

uptime

uptime

reports how long the system has been running, the number of logged‑in users, and the 1‑, 5‑ and 15‑minute load averages.

Option

-V

– version

Interpretation

If the load average consistently exceeds the number of CPU cores, the system is likely overloaded.

ps

ps

lists running processes and their status.

Common options

-A

or -e – all processes -a – processes with a terminal -d – omit session leaders -x – include processes without a controlling terminal -p pid – select by PID -u user – select by user -f – full‑format listing (tree view) -l – long format (flags, priority, etc.) -j – job format -o format – custom output -H – hierarchical view

Typical usage

ps a

– all processes on the current terminal ps -A – all processes system‑wide ps c – display only command names ps f or ps -H – tree view ps aux | grep <em>process</em> – filter for a specific process

watch

watch

runs a program periodically, displaying its output and optionally highlighting changes.

Options

-d

– highlight differences between updates -n seconds – set interval

Example

watch -d -n 1 netstat -ant

– refresh netstat -ant every second, highlighting changes.

strace

strace

traces system calls and signals of a process, showing arguments, return values and timing.

Common options

-p

pid – attach to a running process -f – follow forks -F – follow vforks (unless -f is also used) -o file – write output to a file -ff – separate output per thread -r – show relative timestamps -t, -tt, -ttt – timestamp each line (seconds, microseconds, or relative) -v – verbose (show all syscalls) -s N – limit string length (default 32) -c – summary statistics per syscall -e expr – filter expression -d – debug output -i – show syscall entry pointers -q – suppress detach messages -T – show time spent in each syscall -V – version -x, -xx – hex output for non‑printable strings

Example

strace -ff -F -o ls.log ls -l

– trace ls -l, writing per‑process logs to ls.log files.

lsof

lsof

lists open files and the processes that opened them; in Unix everything is a file.

Common options

-a

– list processes that have opened a file -c process – list files opened by a specific process name -g – list by GID -d fd – list processes using a specific file descriptor +d dir – list files opened under a directory +D dir – recursive version of

+d

-i

criteria – filter by network criteria -p pid – list files opened by a specific PID -u user – list files opened by a user -U – list UNIX domain sockets only -h – help -v – version

Typical output fields

COMMAND – process name

PID – process ID

USER – owner

FD – file descriptor (e.g., cwd, txt)

TYPE – file type (DIR, REG, etc.)

DEVICE – device identifier

SIZE – file size

NODE – inode number

NAME – full file name

Source: https://www.cnblogs.com/lingfengblogs/p/4158727.html