Linux process examination

process analysis

ps list the running processes

--forest display the forest of the processes

-e
-A display all the processes

-f display in full format

h suppress column headers

-o

user defined format (this table is incomplete and some lines are out of date)

code	header	description
`cmd`	CMD	simple name of executable
`flags`	F	flags as in long format F field
`pgrp`		process group ID
`tpgid`		controlling tty process group ID
`cutime`		cumulative user time
`cstime`		cumulative system time
`utime`		user time
`stime`		system time
`min_flt`		number of minor page faults
`maj_flt`		number of major page faults
`cmin_flt`		cumulative minor page faults
`cmaj_flt`		cumulative major page faults
`session`		session ID
`pid`		process ID
`ppid`		parent process ID
`rss`	RSS	resident set size the non-swapped physical memory that a task has used (in kiloBytes)
`rsize`	RSS
`rsz`	RSZ
`resident`		resident pages
`size`	SZ	approximate amount of swap space (in kiloBytes) that would be required if the process were to dirty all writable pages and then be swapped out
`share`		amount of shared pages
`tty`		the minor device number of tty
`start_time`		time process was started
`sz`	SZ	size in physical pages of the core image of the process
`uid`		user ID number
`user`		user name
`vsize`	VSZ	virtual memory usage (in kiloBytes) of entire process vm_lib + vm_exe + vm_data + vm_stack
`vsz`	VSZ
`priority`		kernel scheduling priority

-efLm list the number of threads and the threads of each process

-eLm 123 list the threads of process 123

pv monitor the progress of data through a pipe

`fuser`	indicate the processes using a file or a socket
`-m path`	list the process accessing the mounted file system containing `path`
`-v`	display the commands in addition to the PIDs
`-k`	kill the processes with SIGKILL
`-ki`	ask for confirmation before killing processes
`-<signal>`	kill the processes with `signal`

pstack pid […] print a stack trace of running processes
pmap pid list the memory mappings of the process

`strace command`	trace the system calls of a process
`-p pid`	attach to process `pid`
`-f`	follow the child processes
`-s 128`	set the string truncation limit to 128
`-o <file>`	write trace in file `<file>`
`-ff`	(use with `-o`) write trace in `<file>.pid`
`-e trace=file`	trace all system calls which take a file name as a parameter
`-e trace=mmap2,munmap`	trace the memory map system calls
`-f -e trace=execvp -s 128`	follow the hierarchy of `fork`s/`exec`s

ltrace command trace the library calls of a process

-p pid attach to process pid

-C demangle the C++ names

-s 128 set the string truncation limit to 128

-S display also the system calls

-A col align the return values on column col

-l lib

limit the traces to the specified library
for example, trace the calls to the foobar.so library:

#> ltrace -C -l /the/path/foobar.so quux

-f follow the child processes

-o <file> write trace in file <file>

-ff (use with -o) write trace in <file>.pid

/proc/self the directory of the process itself

/proc/<pid>/cmdline the command line used to starts the process

/proc/<pid>/cwd a link toward the current directory of the process

/proc/<pid>/environ

environment of the process
display it by using

cat environment | tr "\000" "\n"

/proc/<pid>/root a link toward the root directory of the process

/proc/<pid>/exe a link toward the binary of the process

/proc/<pid>/fd/<fd> a symbolic link toward the file whose file descriptor is <fd>

/proc/<pid>/maps

parts of the process’ address space which are currently mapped to a file.
The fields, from left to right, are:

the address space associated to this mapping (start address - end address)
the permissions associated to this mapping
the offset from the beginning of the file where the mapping starts
the device on which the mapped file is located
the inode number of the file
the name of the file itself

/proc/<pid>/mem memory of the process

/proc/<pid>/stat some information

/proc/<pid>/statm summary of the process memory usage

/proc/<pid>/status human readable file containing most of the information which is in /proc/<pid>/stat and /proc/<pid>/statm

`nm`	dump the symbols of a binary
`-A`	prepend each line with the filename

`objdump`	extract information from object file
`-D`	disassemble a binary
`-t` `--syms`	print the symbol table entries of the file
`-C` `--demangle`	demangle the C++ names

impede generation of core files
- at the system level, add the line
  
  * hard core 0
  
  in the file /etc/security/limits.conf
- at the shell level
  
  #> ulimit -c 0
  
  (bash)
  
  #> limit coredumpsize 0
  
  (tcsh)

profiling

profile a binary:
compile and link all the code with -pg (the profiling does not work with shared libraries, so the libraries which are interesting should be statically linked)

/path_to_bin/myBin
                                    

                                        gprof -z /path_to_bin/myBin gmon.out

profile a shared library:

setenv LD_PROFILE_OUTPUT /tmp/prof.001
                                    

                                        mkdir $LD_PROFILE_OUTPUT
                                    

                                        setenv LD_PROFILE libMyLib.so
                                    

                                        /path_to_bin/myBin
                                    

                                        sprof /path_to_lib/$LD_PROFILE $LD_PROFILE_OUTPUT/$LD_PROFILE.profile

(this gives the number of calls, but no timing)

miscellaneous

`addr2line 0x40006D -e foobar`	print the source file name and line number of the executable `foobar` corresponding to the address `0x40006D`
`-f`	also display the routine name

miscellaneous

Many of these tools use libelf to parse the ELF files.