Mastering Linux ps: Decode Options, Syntax, and Output Secrets

1. The Programmer’s Dilemma

About ten years ago, while working as a product manager, I needed to learn common Linux commands from operations engineers. When using the ubiquitous ps command, I encountered a puzzling inconsistency: some engineers recommended ps aux, while others suggested ps -aux. Both seemed to produce the same output, yet older Linux versions complained about ps -axu with a "Warning: bad syntax" message, while ps aux worked without error. This left me confused.

Later, after joining the ops team and studying the ps man page, I discovered that ps aux is the correct usage. As I delved deeper, more questions arose, such as the meaning of the %CPU column, why it sometimes differs from top, why ps -el truncates process names, and many others. After exploring the ps source code, I compiled my findings into this document to help others.

2. Linux ps Option Syntax

The ps command is powerful and its options follow three syntax families:

BSD style – options must not start with a hyphen.

SYSV style – options start with a single hyphen.

GNU style – options start with a double hyphen.

Most long options have a short‑option equivalent. In CentOS 7 you can list them with ps --help. This article focuses on BSD and SYSV styles; GNU long options are similar but usually require a parameter (e.g., --sid 1).

Options from different families can be mixed, but the command parses each token according to its family rules.

3. Record‑Selection Options

When using ps, many engineers worry that ps aux returns far more rows than a plain ps call. Understanding which options affect the number of records is essential.

3.1 all_processes option

Only two options display every process: the BSD‑style a and the SYSV‑style -e (or -A). The -e flag is easier to remember.

All processes are listed under /proc; each numeric directory corresponds to a process. Running ps -e yields a row count identical to the number of /proc entries.

3.2 simple_select options

Five simple‑select options exist ( -a, -d, a, g, x), comprising two SYSV and three BSD flags. Mixing SYSV with BSD flags causes an error, but options within the same family can be combined (e.g., -ad, ga, ax, gx, agx). BSD‑style simple‑select options receive two special treatments:

When BSD simple‑select is used, an extra g flag is added.

If a, g and x all appear, they are replaced by -e.

Consequently, ps aux is equivalent to ps auxg, ps agx u, or ps -e u. In total there are six valid simple‑select combinations, each mapped to a bitmap value used for filtering.

3.3 selection_list options

These options filter processes based on a specific attribute (PID, session ID, UID, GID, command name, terminal, etc.) and each has a GNU‑style long counterpart. They often require a parameter (e.g., -p 1234).

Example usage:

$ ps -u root -p 1

3.4 special‑select options

Option h hides the header line.

Option r limits output to processes in running (R) or uninterruptible sleep (D) states.

Option -N displays the complement of the current selection (i.e., all processes not matched).

3.5 Record‑selection order

The selection proceeds in the following order:

Check for an all‑processes flag ( -e / a).

If absent, evaluate simple‑select flags.

If still not selected, evaluate selection‑list flags.

If BSD flags are present, apply the BSD‑style g bitmap rule.

If none of the above selected the record, apply a default bitmap 0xaa00 (processes with matching tty and euid).

If r is set, keep only R/D state records.

If -N is set, invert the selection.

Finally, h removes the header if requested.

4. Sorting Options

Three options control result ordering: k sorts by one or more fields, with + for ascending and - for descending. f produces an ASCII‑tree based on parent‑child relationships. -H produces a tab‑indented tree.

5. Thread‑Expansion Options

Processes may have multiple threads, visible under /proc. The following options expand thread information: H, -L, -T – show thread lines (record count differs from plain ps -e). M, m, -m – also include a summary line for the thread group.

Example: ps -L lists each thread with its LWP (light‑weight process) ID; the group line shows the main process.

6. Field Options

6.1 General field‑group options

Different option groups produce different default column sets. For example, ps aux shows USER, PID, %CPU, %MEM, VSZ, RSS, TTY, STAT, START, TIME, COMMAND; ps -el shows PID, PPID, WCHAN, TIME, CMD. The command can output up to 168 fields (see ps L).

6.2 Specialized field‑group options

Job‑control format ( -j) – displays PPID, PID, PGID, SID, TPGID.

i386 register format ( -Z) – shows STACKP, ESP, EIP.

CPU‑signal format ( -s) – shows PENDING, BLOCKED, IGNORED, CAUGHT.

Virtual‑memory format ( -v) – shows MAJFL, TRS, DRS, RSS, %MEM.

SELinux label format ( -Z) – shows LABEL.

6.3 Custom field selection

Use -o (or o) to specify a comma‑separated list of fields, e.g., ps -o pid,cmd. The O or -O options prepend pid and append state,tty,time,command to the custom list.

7. Field‑Modifier Options

Modifiers affect how a particular column is displayed: w (repeatable) prevents truncation of long command lines. c shortens the COMMAND column to the executable name. e expands COMMAND to include the environment. S includes dead child processes in certain aggregate fields. n shows numeric IDs instead of names (e.g., numeric UID, raw wchan value).

8. Common Fields Explained

8.1 Process‑ID fields

Key identifiers include pid, ppid, pgid, sid, tpgid, tid (thread ID), nlwp (number of threads), and their aliases ( spid, lwp, tgid, pgrp, sess, etc.).

8.2 Command‑name fields

Three groups exist: short name ( comm / ucomm), long name ( cmd / command), and arguments ( args / command). Short names are limited to 15 characters by the kernel.

8.3 Process‑state fields

Single‑byte fields s / state and multi‑byte stat encode attributes such as nice value ( < for negative, N for positive), memory lock ( L), session leader ( s), multithreaded ( l), foreground group ( +), etc.

8.4 Time fields

Fields like lstart, start_time, etimes record start timestamps and elapsed time; they are convenient for scripting.

8.5 CPU‑time fields

Fields such as cputime, bsdtime, pcpu, c report CPU usage. pcpu is a per‑thousand value; c is a percentage (max 99). Multi‑threaded processes may show > 100%.

8.6 Memory fields

Key memory metrics include vsz (virtual size, KB), rss (resident set, KB), pmem (% of total RAM), trs (text), drs (data), size (swap), minflt (minor page faults), majflt (major page faults). Ratios such as rss/minflt ≈ 4 indicate normal page‑fault behavior.

8.7 Credential fields

Credentials include real UID/GID, effective UID/GID, saved set‑UID/GID, and filesystem UID/GID. They determine ownership and permission checks.

8.8 WCHAN fields

wchan

and wname show the kernel function where a sleeping process is blocked; nwchan shows the raw pointer (truncated on 64‑bit systems).

9. Option Fault‑Tolerance

If a SYSV‑style combination fails to parse, ps attempts to reinterpret the same letters as BSD flags. For example, ps -aux falls back to ps aux. Only seven letters ( -S, -X, -h, -k, -v, -r, -x) have BSD equivalents and can be auto‑corrected.

10. Practical Summary

10.1 Frequently Used Options

-e

– show all processes. h – hide the header. k – sort by specified fields. -L – expand threads. -l – basic long format (s, pid, ppid, time, ucmd). u – display CPU, memory, and RSS. -o – custom field list.

The ps command offers 168 possible output fields; the most useful ones have been highlighted throughout this guide.

Original source: 值得收藏，史上最全Linux ps命令详解 , reposted from the AliDataOps public account, author Wen Maoquan.

Click the original article to visit the conference website.