Meet the ‘Four Detectives’ of Linux: Mastering ps, dstat, top & htop

Four Famous Detectives (Linux Commands)

The "four famous detectives" originally from a wuxia novel are re‑imagined as Linux commands that help you monitor processes: Wuqing (ps), Tiehand (dstat), Zhuiming (top) and Lengxue (htop).

1. Light‑skill "Wuqing" – ps

ps

displays the current process status (static). It supports three option styles:

UNIX style – options prefixed with a single

-

BSD style – options without any prefix

GNU style – options prefixed with double

--

Commonly used combinations:

ps aux

: a all with terminal, x all without terminal, u user‑oriented output.

ps -ef

: show every process in full format.

ps -eFH

: full format with CPU utilization (

C

) and CPU number (

PSR

), hierarchical view.

ps -eo pid,ni,priority,psr,pcpu,stat,comm,tty,ppid,rtprio

: custom field list.

Key output columns:

CPU% – CPU time usage percentage

MEM% – memory usage percentage

VSZ – virtual memory size

RSS – resident set size

STAT – process state (R, S, D, T, Z, +, l, N, <, s)

2. Inner‑skill "Tiehand" – dstat

dstat

is a dynamic system‑resource statistics tool.

Typical usage:

dstat [-afv] [options] [delay [count]]

-c

,

--cpu

: CPU statistics

-d

,

--disk

: Disk statistics

-g

: Page‑related rates

-m

: Memory statistics

-n

: Network interface statistics

-p

: Process‑related statistics

-r

: I/O request statistics

-s

: Swap statistics

--tcp

,

--udp

,

--raw

,

--socket

,

--ipc

: socket and IPC info

--top-cpu

,

--top-io

,

--top-mem

: show top consumers

3. Leg‑skill "Zhuiming" – top

top

provides a dynamic, real‑time view of Linux processes.

Typical header example:

<code>top - 14:58:34 up 5:28, 1 user, load average: 0.01, 0.02, 0.05</code>

Time, uptime, user count, load average

Tasks: total, running, sleeping, stopped, zombie

CPU line: %us (user), %sy (system), %ni (nice), %id (idle), %wa (IO wait), %hi (hardware IRQ), %si (software IRQ), %st (steal)

Memory line: total, free, used, buff/cache (KiB)

Swap line: total, free, used, available

Key columns in the process list:

PID , USER , PR , NI , VIRT , RES , SHR , S , %CPU , %MEM , TIME+ , COMMAND

Sorting keys:

P : sort by CPU usage

M : sort by memory usage

T : sort by cumulative CPU time

4. Sword‑skill "Lengxue" – htop

htop

is an interactive process viewer with richer UI.

Common options:

-d #

: set delay interval

-u USER

: show only processes of a specific user

-s COLUMN

: sort by a given column

Useful sub‑commands:

l

: list open files of a process

s

: trace system calls

t

: display processes in a tree view

a

: bind a process to a specific CPU core

Together, these four tools form a powerful toolkit for system administrators and developers to observe, analyze, and troubleshoot Linux processes efficiently.