Mastering Linux ps: Decode Options, Syntax, and Output Secrets

1. The Programmer’s Dilemma

About ten years ago, while working as a product manager, I needed to learn common Linux commands from operations engineers. When using the ubiquitous

ps

command, I encountered a puzzling inconsistency: some engineers recommended

ps aux

, while others suggested

ps -aux

. Both seemed to produce the same output, yet older Linux versions complained about

ps -axu

with a "Warning: bad syntax" message, while

ps aux

worked without error. This left me confused.

Later, after joining the ops team and studying the

ps

man page, I discovered that

ps aux

is the correct usage. As I delved deeper, more questions arose, such as the meaning of the

%CPU

column, why it sometimes differs from

top

, why

ps -el

truncates process names, and many others. After exploring the

ps

source code, I compiled my findings into this document to help others.

2. Linux ps Option Syntax

The

ps

command is powerful and its options follow three syntax families:

BSD style – options must not start with a hyphen.

SYSV style – options start with a single hyphen.

GNU style – options start with a double hyphen.

Most long options have a short‑option equivalent. In CentOS 7 you can list them with

ps --help

. This article focuses on BSD and SYSV styles; GNU long options are similar but usually require a parameter (e.g.,

--sid 1

).

Options from different families can be mixed, but the command parses each token according to its family rules.

3. Record‑Selection Options

When using

ps

, many engineers worry that

ps aux

returns far more rows than a plain

ps

call. Understanding which options affect the number of records is essential.

3.1 all_processes option

Only two options display every process: the BSD‑style

a

and the SYSV‑style

-e

(or

-A

). The

-e

flag is easier to remember.

All processes are listed under

/proc

; each numeric directory corresponds to a process. Running

ps -e

yields a row count identical to the number of

/proc

entries.

3.2 simple_select options

Five simple‑select options exist (

-a

,

-d

,

a

,

g

,

x

), comprising two SYSV and three BSD flags. Mixing SYSV with BSD flags causes an error, but options within the same family can be combined (e.g.,

-ad

,

ga

,

ax

,

gx

,

agx

). BSD‑style simple‑select options receive two special treatments:

When BSD simple‑select is used, an extra

g

flag is added.

If

a

,

g

and

x

all appear, they are replaced by

-e

.

Consequently,

ps aux

is equivalent to

ps auxg

,

ps agx u

, or

ps -e u

. In total there are six valid simple‑select combinations, each mapped to a bitmap value used for filtering.

3.3 selection_list options

These options filter processes based on a specific attribute (PID, session ID, UID, GID, command name, terminal, etc.) and each has a GNU‑style long counterpart. They often require a parameter (e.g.,

-p 1234

).

Example usage:

<code>$ ps -u root -p 1</code>

3.4 special‑select options

Option

h

hides the header line.

Option

r

limits output to processes in running (R) or uninterruptible sleep (D) states.

Option

-N

displays the complement of the current selection (i.e., all processes not matched).

3.5 Record‑selection order

The selection proceeds in the following order:

Check for an all‑processes flag (

-e

/

a

).

If absent, evaluate simple‑select flags.

If still not selected, evaluate selection‑list flags.

If BSD flags are present, apply the BSD‑style

g

bitmap rule.

If none of the above selected the record, apply a default bitmap

0xaa00

(processes with matching tty and euid).

If

r

is set, keep only R/D state records.

If

-N

is set, invert the selection.

Finally,

h

removes the header if requested.

4. Sorting Options

Three options control result ordering:

k

sorts by one or more fields, with

+

for ascending and

-

for descending.

f

produces an ASCII‑tree based on parent‑child relationships.

-H

produces a tab‑indented tree.

5. Thread‑Expansion Options

Processes may have multiple threads, visible under

/proc

. The following options expand thread information:

H

,

-L

,

-T

– show thread lines (record count differs from plain

ps -e

).

M

,

m

,

-m

– also include a summary line for the thread group.

Example:

ps -L

lists each thread with its LWP (light‑weight process) ID; the group line shows the main process.

6. Field Options

6.1 General field‑group options

Different option groups produce different default column sets. For example,

ps aux

shows USER, PID, %CPU, %MEM, VSZ, RSS, TTY, STAT, START, TIME, COMMAND;

ps -el

shows PID, PPID, WCHAN, TIME, CMD. The command can output up to 168 fields (see

ps L

).

6.2 Specialized field‑group options

Job‑control format (

-j

) – displays PPID, PID, PGID, SID, TPGID.

i386 register format (

-Z

) – shows STACKP, ESP, EIP.

CPU‑signal format (

-s

) – shows PENDING, BLOCKED, IGNORED, CAUGHT.

Virtual‑memory format (

-v

) – shows MAJFL, TRS, DRS, RSS, %MEM.

SELinux label format (

-Z

) – shows LABEL.

6.3 Custom field selection

Use

-o

(or

o

) to specify a comma‑separated list of fields, e.g.,

ps -o pid,cmd

. The

O

or

-O

options prepend

pid

and append

state,tty,time,command

to the custom list.

7. Field‑Modifier Options

Modifiers affect how a particular column is displayed:

w

(repeatable) prevents truncation of long command lines.

c

shortens the COMMAND column to the executable name.

e

expands COMMAND to include the environment.

S

includes dead child processes in certain aggregate fields.

n

shows numeric IDs instead of names (e.g., numeric UID, raw wchan value).

8. Common Fields Explained

8.1 Process‑ID fields

Key identifiers include

pid

,

ppid

,

pgid

,

sid

,

tpgid

,

tid

(thread ID),

nlwp

(number of threads), and their aliases (

spid

,

lwp

,

tgid

,

pgrp

,

sess

, etc.).

8.2 Command‑name fields

Three groups exist: short name (

comm

/

ucomm

), long name (

cmd

/

command

), and arguments (

args

/

command

). Short names are limited to 15 characters by the kernel.

8.3 Process‑state fields

Single‑byte fields

s

/

state

and multi‑byte

stat

encode attributes such as nice value (

<

for negative,

N

for positive), memory lock (

L

), session leader (

s

), multithreaded (

l

), foreground group (

+

), etc.

8.4 Time fields

Fields like

lstart

,

start_time

,

etimes

record start timestamps and elapsed time; they are convenient for scripting.

8.5 CPU‑time fields

Fields such as

cputime

,

bsdtime

,

pcpu

,

c

report CPU usage.

pcpu

is a per‑thousand value;

c

is a percentage (max 99). Multi‑threaded processes may show > 100%.

8.6 Memory fields

Key memory metrics include

vsz

(virtual size, KB),

rss

(resident set, KB),

pmem

(% of total RAM),

trs

(text),

drs

(data),

size

(swap),

minflt

(minor page faults),

majflt

(major page faults). Ratios such as

rss/minflt ≈ 4

indicate normal page‑fault behavior.

8.7 Credential fields

Credentials include real UID/GID, effective UID/GID, saved set‑UID/GID, and filesystem UID/GID. They determine ownership and permission checks.

8.8 WCHAN fields

wchan

and

wname

show the kernel function where a sleeping process is blocked;

nwchan

shows the raw pointer (truncated on 64‑bit systems).

9. Option Fault‑Tolerance

If a SYSV‑style combination fails to parse,

ps

attempts to reinterpret the same letters as BSD flags. For example,

ps -aux

falls back to

ps aux

. Only seven letters (

-S

,

-X

,

-h

,

-k

,

-v

,

-r

,

-x

) have BSD equivalents and can be auto‑corrected.

10. Practical Summary

10.1 Frequently Used Options

-e

– show all processes.

h

– hide the header.

k

– sort by specified fields.

-L

– expand threads.

-l

– basic long format (s, pid, ppid, time, ucmd).

u

– display CPU, memory, and RSS.

-o

– custom field list.

The

ps

command offers 168 possible output fields; the most useful ones have been highlighted throughout this guide.

Original source: 值得收藏，史上最全Linux ps命令详解 , reposted from the AliDataOps public account, author Wen Maoquan.

Click the original article to visit the conference website.