Unlock Powerful Sysdig Commands for Network, Container, and Security Monitoring
Explore a comprehensive collection of sysdig command examples that let you monitor network bandwidth, container resources, HTTP traffic, disk I/O, CPU usage, performance bottlenecks, and security events, with ready-to-use snippets for Linux systems and containerized environments.
Sysdig Command Examples
Network
View the process consuming the most network bandwidth
sysdig -c topprocs_net
Show network traffic for host 192.168.0.1 (binary)
sysdig -s2000 -X -c echo_fds fd.cip=192.168.0.1
Show network traffic for host 192.168.0.1 (ASCII) sysdig -s2000 -A -c echo_fds fd.cip=192.168.0.1 List server ports with most connections (by established connections) sysdig -c fdcount_by fd.sport "evt.type=accept" List server ports with most connections (by total bytes) sysdig -c fdbytes_by fd.sport Show client IPs with most connections (by established connections) sysdig -c fdcount_by fd.cip "evt.type=accept" Show client IPs with most connections (by total bytes) sysdig -c fdbytes_by fd.cip List connections that are not to the Apache service sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"
Containers
List running containers and their resource usage
sudo csysdig -vcontainers
Show processes inside container contexts
sudo csysdig -pc
Show CPU usage inside the wordpress1 container
sudo sysdig -pc -c topprocs_cpu container.name=wordpress1
Show network bandwidth usage inside the wordpress1 container
sudo sysdig -pc -c topprocs_net container.name=wordpress1
Show the process using the most network bandwidth inside wordpress1
sudo sysdig -pc -c topprocs_net container.name=wordpress1
Show the file with the most I/O bytes inside wordpress1
sudo sysdig -pc -c topfiles_bytes container.name=wordpress1
Rank network connections inside wordpress1
sudo sysdig -pc -c topconns container.name=wordpress1
List all commands executed inside wordpress1
sudo sysdig -pc -c spy_users container.name=wordpress1
Applications
Show all HTTP requests on the machine
sudo sysdig -s 2000 -A -c echo_fds fd.port=80 and evt.buffer contains GET
Show all SQL SELECT queries on the machine
sudo sysdig -s 2000 -A -c echo_fds evt.buffer contains SELECT
Monitor Apache queries to an external MySQL server in real time
sysdig -s 2000 -A -c echo_fds fd.sip=192.168.30.5 and proc.name=apache2 and evt.buffer contains SELECT
Disk I/O
Show the process using the most disk bandwidth
sysdig -c topprocs_file
List processes using many file descriptors
sysdig -c fdcount_by proc.name "fd.type=file"
Show top files by read+write bytes
sysdig -c topfiles_bytes
Show top files accessed by Apache
sysdig -c topfiles_bytes proc.name=httpd
Basic opensnoop: capture file opens as they occur
sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open
Show top directories by read/write activity
sysdig -c fdbytes_by fd.directory "fd.type=file"
Show top files by read/write activity in /tmp
sysdig -c fdbytes_by fd.filename "fd.directory=/tmp/"
Observe I/O activity on files named 'passwd'
sysdig -A -c echo_fds "fd.filename=passwd"
Display I/O activity by file descriptor type
sysdig -c fdbytes_by fd.type
Processes and CPU Usage
Show top processes by CPU usage
sysdig -c topprocs_cpu
Show top processes on CPU 0
sysdig -c topprocs_cpu evt.cpu=0
Observe the standard output of a process (e.g., cat)
sysdig -s4096 -A -c stdout proc.name=cat
Performance and Errors
Show files where most time has been spent
sysdig -c topfiles_time
Show files where Apache spent most time
sysdig -c topfiles_time proc.name=httpd
Show top processes with I/O errors
sysdig -c topprocs_errors
Show top files with I/O errors
sysdig -c topfiles_errors
List all failed disk I/O calls
sysdig fd.type=file and evt.failed=true
List failed file opens by httpd
sysdig "proc.name=httpd and evt.type=open and evt.failed=true"
Show system calls where most time has been spent
sysdig -c topscalls_time
Show top system calls returning errors
sysdig -c topscalls "evt.failed=true"
Snoop failed file opens as they occur
sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open and evt.failed=true
Print file I/O calls with latency greater than 1 ms
sysdig -c fileslower 1
Security
Show directories visited by the user "root"
sysdig -p"%evt.arg.path" "evt.type=chdir and user.name=root"
Observe SSH activity
sysdig -A -c echo_fds fd.name=/dev/ptmx and proc.name=sshd
Show every file open occurring in /etc
sysdig evt.type=open and fd.name contains /etc
Show the login shell IDs that launched the "tar" command
sysdig -r file.scap -c list_login_shells tar
Show all commands executed by a specific login shell ID
sysdig -r trace.scap.gz -c spy_users proc.loginshellid=5459
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.