ps command on Linux (view processes) [Basic Guide]

The ps command in Linux generates a list of all running processes and their attributes.

There was a time in Linux when two versions of the ps command coexisted in different distributions. Not long ago, the developers decided to combine the two versions of PS into a single version, but left the options of both different versions coexisting.

Thus, when entering a parameter in the PS, the results will be different:

• Without using the minus sign “–“, ps behaves by showing processes in the BSD style;
• with a minus sign just “–” the ps behaves showing processes in the Unix style, using the POSIX standard;
• With two minus signs “—” ps behaves by showing processes in the GNU style.

There is no right or wrong, just historical preference.

The most common options for ps are:

• a Shows the running processes connected to a terminal, of all users;
• -a Shows the running processes connected to a terminal, minus the session processes;
• -e, -A Shows all processes;
• -u Shows the list of processes including the name of the users who own the processes and start of executions, percentage of CPU used, percentage of memory used, and associated terminal;
• -x Shows the list of processes, including those that they don’t have a terminal associated with it. Useful for viewing server processes (daemons);
• -f Shows processes in the form of a tree. Very useful for identifying the parent-child process relationship between running processes;
• -H Shows the hierarchy of processes in the form of a tree;

See the ps command help for more options.

In this example, PS only shows the processes of the user logged in and connected to the terminal:

$ ps
PID TTY TIME CMD
1415 pts/0 00:00:00 ps
30019 pts/0 00:00:00 bash

To show all processes for all users connected to a terminal:

$ ps to 
PID TTY STAT TIME COMMAND 
1628 pts/0 R+ 0:00 ps to 
3297 tty1 Ss+ 0:00 /sbin/agetty --noclear tty1 linux 
27159 pts/0 T 0:00 sudo find/-iname backup.sh

Notice how the “-a” option is different from the “a”:

$ ps -a PID TTY TIME CMD 1675 pts/0 00:00:00 ps 27159 pts/0 00:00:00 sudo 27160 pts/0 00:00:00 find

The “u” option adds some process attributes:

$ ps au 
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 
root 3297 0.0 0.0 121336 1600 tty1 Ss+ ago15 0:00 /sbin/ agetty --noclear tty1 Linux 
root 3298 0.0 0.1 120984 2064 ttyS0 Ss+ ago15 0:00 /sbin/agetty --keep-baud 115200,38400,9600 
ec2-user 3414 0.0 0.1 164440 4032 pts/0 R+ 18:38 0:00 ps au 
root 27159 0.0 0.3 216984 6608 pts/0 T 17:46 0:00 sudo find/-iname backup.sh 
root 27160 0.0 0.1 128308 3944 pts/0 T 17:46 0:00 find/-iname backup.sh 
ec2- user 30019 0.0 0.2 127120 4348 pts/0 Ss 14:48 0:00 -bash

To get a complete list of running processes, not just those that are connected to the terminal, add the “x” option:

$ ps aux 
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 
root 1 0.0 0.2 199452 4968? If ago15 9:23 /usr/lib/systemd/systemd --switched-root -- 
root 2 0.0 0.0 0 0? And ago15 12:00 [kthreadd] 
(...) 
ec2-user 30018 0.0 0.2 152864 4384? S 14:48 0:00 sshd: ec2-user @pts /0 
ec2-user 30019 0.0 0.2 127120 4348 pts/0 Ss 14:48 0:00 -bash 
postfix 30391 0.0 0.3 90536 6928? S 18:06 0:00 pickup -l -t unix -u

Processes whose commands are wrapped in keys, such as in the [ktheradd] highlight, indicate that they were removed from RAM and placed in virtual disk memory. When processes are in virtual disk memory, they are referred to as sleeping.

The Kernel often puts processes to sleep while they are waiting for an event, which may be, for example, loading data from the disk, or a network connection. When the event is triggered, the Kernel sends a signal to the process.

The “eFH” options show all processes, with their hierarchy in the form of a tree:

$ ps -eFh 
UID PID PPID C ESTIMATE TTY TIME CMD 
root 3252 1 0 Aug15? 00:00:00 /usr/sbin/sshd -D 
root 29998 3252 0 14:48? 00:00:00 sshd: ec2-user [priv] 
ec2-user 30018 29998 0 14:48? 00:00:00 sshd: ec2-user @pts /0

It is possible to play with the commands, such as, for example, knowing which processes consume the most CPU:

$ ps aux | sort -nrk 3.3 | head -n 5 
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 
nginx 3342 0.2 1.6 426976 34048? On Aug 15 133:04 amplify-agent 
rpc 2729 0.0 0.1 73828 3276? If ago15 0:02 /sbin/rpcbind -w 
root 9421 0.0 0.0 0 0? I set13 0:01 [kworker/u 30:1] 
root 9 0.0 0.0 0 0? On Aug 15 12:00 [rcu_bh]

A very interesting option for programmers is to see the processes running ordered by memory consumption. To do this, simply change the sort column to 4:

$ ps -aux | sort -nk 4 | head -5 
chrony 745 0.0 0.0 80736 2988? If mar17 00:52 /usr/sbin/chronyd 
dbus 727 0.0 0.0 8872 3668? If mar17 12:10 /usr/bin/dbus-daemon --system 
ec2-user 24036 0.0 0.0 21720 5108? S 11:37 0:01 sshd: ec2-user @pts /0 
ec2-user 24037 0.0 0.0 117164 6248 pts/0 Ss 11:37 0:00 -bash 
ec2-user 32446 0.0 0.0 118552 3448 pts/0 R+ 16:51 0:00 ps -aux

Regardless of how you want to view the processes running, some attributes are important for a Linux administrator, such as:

Process Owner User (UID)

It’s impossible to run a program on Linux without it having an owner user. This means that the program will have the disk access permissions and resources of the user who ran the program. This notion is important because it is possible to execute a program as another user other than the logged-in user.

Process Number – Process ID (PID)

Every running program is assigned a unique numeric ID. This number can be used to send signals to the running program.

Parent Process (PPID)

Every program except init or systemd has a parent process that originated its execution. It is common for a server program, for example, to have a parent process (master) and several processes or threads (children).

Threads can be understood as pieces of the program that execute as if they were child processes, but are lighter, since they share a lot with the parent process. This technology is widely used in processors with several cores (cores) to allow several threads to run at the same time.

% of CPU

Each process gains a share of CPU time, which can be counted, and serves as a parameter for the administrator to know which processes consume a lot of CPU.

Memory%

Each running process also gains a share of RAM, which can also be counted to let the administrator know the processes that consume a lot of RAM

Start time (STIME)

Each process is also attributed to the time at which it was executed.

CPU time (TIME)

Each process also has as its attribute the CPU time accumulated during its execution.

Command line (CMD)

The processes also maintain an attribute, which is the command line that was used in the execution.

Terminal (TTY)

Each process may or may not have an associated Terminal. As a curiosity, what the ps command actually does is to scan some information from the /proc directory. Take the sshd process as an example:

$ ps aux | grep ssh 
root 3252 0.0 0.3 112928 7848? It's ago15 12:00 /usr/sbin/sshd -D

If we look at the /proc directory, it will have a subdirectory with the number 3252, which corresponds to the PID of the sshd program:

# cd /proc/3252 
# ls 
attr coredump_filter gid_map mem oom_adj root stack timerslack_ns 
autogroup cpuset & nbsp; io mountinfo oom_score sched stat uid_map 
auxv cwd latency mounts & nbsp; oom_score_adj schedulstat statm wchan 
cgroup environ limits mountstats pagemap sessionid status 
clear_refs exe ; loginuid net patch_state setgroups syscall 
cmdline fd map_files ns personality smaps & nbsp; task

com dinfo maps numa_maps project_map smaps_rollup timers

For example, the program’s command line with PID 3252 can be consulted with a simple cat:

# cat cmdline /usr/sbin/sshd-d

Various information about a process can be viewed in the /proc/ directory [PID number]. The ps utility only organizes the information for a more humane reading.