Using "ps" shell command
Here's a normal output from ps command with -ef parameters./home/zhangy/> ps -ef UID PID PPID C...
Here's a normal output from ps command with -ef parameters.
/home/zhangy/> ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Dec 03 - 13:32 /etc/init
root 3932 1 0 Dec 03 - 0:01 /usr/lib/errdemon
root 4670 1 1 Dec 03 - 416:09 /usr/sbin/syncd 60
root 5196 7498 0 Dec 03 - 0:06 /usr/local/sbin/sshd
...
- -e: Print all processes info except kernel processes.
- -f: Here tells ps to show user name instead of user id at UID and to show parameters for command at CMD.
- UID: The user who kicked off the process
- PID: The process ID of the process
- PPID: The process ID of the parent process
- C: Usage of CPU
- STIME: The starting time of the process
- TTY:
- TIME: The total run time of the process
- CMD: The command with parameters and its full path
Tips
We use PID and PPID to track process tree. For killing any process, we should refer to PID. To track PPID we could kill a group of related processes.
STIME is very helpful to indicate the multi-process with the same script name. Usually they have different run time.
CMD is also helpful to get command name and path.
Reference
A full reference on column explaination from unix man page.
ADDR
(-l and l flags) Contains the segment number of the process stack, if normal;
if a kernel process, the address of the preprocess data area.
BND
(-o THREAD flag) The logical processor number of the processor to which the
kernel thread is bound (if any). For a process, this field is shown if all its
threads are bound to the same processor.
C
(-f, l, and -l flags) CPU utilization of process or thread, incremented each
time the system clock ticks and the process or thread is found to be running.
The value is decayed by the scheduler by dividing it by 2 once per second. For
the sched_other policy, CPU utilization is used in determining process
scheduling priority. Large values indicate a CPU intensive process and result
in lower process priority whereas small values indicate an I/O intensive
process and result in a more favorable priority.
CMD
(-f, -l, and l flags) Contains the command name. The full command name and its
parameters are displayed with the -f flag.
COMMAND
(s, u, and v) Contains the command name. The full command name and its
parameters are displayed with the -f flag.
F Field Table
Flags Hexadecimal Value Definition
SLOAD 0x00000001 Indicates that the process is operating in core memory.
SNOSWAP 0x00000002 Indicates that the process cannot be swapped out.
STRC 0x00000008 Indicates that the process is being traced.
SWTED 0x00000010 Indicates that the process stopped while being traced.
SFWTED 0x00000020 Indicates that the process stopped after a call to the fork
subroutine, while being traced.
SEWTED 0x00000040 Indicates that the process stopped after a call to the exec
subroutine, while being traced.
SLWTED 0x00000080 Indicates that the process stopped after a call to the load
or unload subroutine, while being traced.
SFIXPRI 0x00000100 Indicates that the process has a fixed priority, ignoring
the pcpu field descriptor.
SKPROC 0x00000200 Indicates a Kernel process.
SOMASK 0x00000400 Indicates restoration of the old mask after a signal is
received.
SWAKEONSIG 0x00000800 Indicates that the signal will abort the sleep
subroutine. The contents must not be equal to those of the PCATCH flag. The
contents of both PCATCH and SWAKEONSIG must be greater than those of PMASK.
SUSER 0x00001000 Indicates that the process is in user mode.
SLKDONE 0x00002000 Indicates that the process has done locks.
STRACING 0x00004000 Indicates that the process is a debugging process.
SMPTRACE 0x00008000 Indicates multi-process debugging.
SEXIT 0x00010000 Indicates that the process is exiting.
SSEL 0x00020000 Indicates that the processor is selecting: wakeup/waiting
danger.
SORPHANPGRP 0x00040000 Indicates an orphaned process group.
SNOCNTLPROC 0x00080000 Indicates that the session leader relinquished the
controlling terminal.
SPPNOCLDSTOP 0x00100000 Indicates that the SIGHLD signal is not sent to the
parent process when a child stops.
SEXECED 0x00200000 Indicates that process has been run.
SJOBSESS 0x00400000 Indicates that job control was used in the current
session.
SJOBOFF 0x00800000 Indicates that the process is free from job control.
PSIGDELIVERY 0x01000000 Indicates that the process is used by the
program-check handler.
SRMSHM 0x02000000 Indicates that the process removed shared memory during a
call to the exit subroutine.
SSLOTFREE 0x04000000 Indicates that the process slot is free.
SNOMSG 0x08000000 Indicates that there are no more uprintf subroutine
messages.
F
(-l and l flags) Some of the more important F field flags (hexadecimal and
additive) associated with processes and threads are shown below:
F Field Table
Flags Hex Value Definition
SLOAD 0x00000001 Indicates that the process is operating in core memory.
SNOSWAP 0x00000002 Indicates that the process cannot be swapped out.
STRC 0x00000008 Indicates that the process is being traced.
SKPROC 0x00000200 Indicates a kernel process.
SEXIT 0x00010000 Indicates that the process is exiting.
SEXECED 0x00200000 Indicates that the process has been run.
SEXECING 0x01000000 Indicates that the process is execing (performing an
exec).
TKTHREAD 0x00001000 Indicates that the thread is a kernel-only thread.
Note: You can see the definitions all process and thread flags by consulting
the p_flags and t_flags fields in the /usr/include/sys/proc.h and
/usr/include/sys/thread.h files respectively.
LIM
(v flag) The soft limit on memory used, specified via a call to the setrlimit
subroutine. If no limit has been specified, then shown as xx. If the limit is
set to the system limit, (unlimited), a value of UNLIM is displayed.
NI
(-l and l flags) The nice value; used in calculating priority for the sched
other policy.
PID
(all flags) The process ID of the process.
PGIN
(v flag) The number of disk I/Os resulting from references by the process to
pages not loaded in core.
PPID
(-f, l, and -l flags) The process ID of the parent process.
PRI
(-l and l flags) The priority of the process or kernel thread ; higher numbers
mean lower priority.
RSS
(v flag) The real-memory (resident set) size of the process (in 1KB units).
S
(-l and l flags) The state of the process or kernel thread :
For processes:
O
Nonexistent
A
Active
W
Swapped
I
Idle (waiting for startup)
Z
Canceled
T
Stopped
For kernel threads:
O
Nonexistent
R
Running
S
Sleeping
W
Swapped
Z
Canceled
T
Stopped
SC
(-o THREAD flag) The suspend count of the process or kernel thread. For a
process, the suspend count is defined as the sum of the kernel threads suspend
counts.
SCH
(-o THREAD flag) The scheduling policy for a kernel thread. The policies
sched_other, sched_fifo, and sched_rr are respectively displayed using: 0, 1,
2.
SIZE
(v flag) The virtual size of the data section of the process (in 1KB units).
SSIZ
(s flag) The size of the kernel stack. This value is always 0 (zero) for a
multi-threaded process.
STAT
(s, u, and v flags) Contains the state of the process:
0
Nonexistent
A
Active
I
Intermediate
Z
Canceled
T
Stopped
K
Available kernel process
STIME
(-f and u flags) The starting time of the process. The LANG environment
variables control the appearance of this field.
SZ
(-l and l flags) The size in 1KB units of the core image of the process.
THCNT
(-o thcount flag) The number of kernel threads owned by the process.
TID
(-o THREAD flag) The thread ID of the kernel thread.
TIME
(all flags) The total execution time for the process.
TRS
(v flag) The size of resident-set (real memory) of text.
TSIZ
(v flag) The size of text (shared-program) image.
TTY
(all flags) The controlling workstation for the process:
-
The process is not associated with a workstation.
?
Unknown.
Number
The TTY number. For example, the entry 2 indicates TTY2.
UID
(-f, -l, and l flags) The user ID of the process owner. The login name is
printed under the -f flag.
USER
(u flag) The login name of the process owner.
WCHAN
(-l flag) The event for which the process or kernel thread is waiting or
sleeping. For a kernel thread, this field is blank if the kernel thread is
running. For a process, the wait channel is defined as the wait channel of the
sleeping kernel thread if only one kernel thread is sleeping; otherwise a star
is displayed.
WCHAN
(l flag) The event on which process is waiting (an address in the system). A
symbol is chosen that classifies the address, unless numerical output is
requested.
%CPU
(u and v flags) The percentage of time the process has used the CPU since the
process started. The value is computed by dividing the time the process uses
the CPU by the elapsed time of the process. In a multi-processor environment,
the value is further divided by the number of available CPUs since several
threads in the same process can run on different CPUs at the same time.
(Because the time base over which this data is computed varies, the sum of all
%CPU fields can exceed 100%.)
%MEM
(u and v flags) The percentage of real memory used by this process.
A full reference on flag parameters from unix man page.
Flags
The following flags are preceded by a - (minus sign):
-A Writes to standard output information about all processes.
-a Writes to standard output information about all processes, except the session
leaders and processes not associated with a terminal.
-c Clist Displays only information about processes assigned to the workload
management classes listed in the Clist variable. The Clist variable is either a
comma separated list of class names or a list of class names enclosed in double
quotation marks (" "), which is separated from one another by a comma or by one
or more spaces, or both.
-d Writes information to standard output about all processes, except the session
leaders.
-e Writes information to standard output about all processes, except kernel
processes.
-F Format Same as -o Format
-f Generates a full listing.
-G Glist Writes information to standard output only about processes that are in
the process groups listed for the Glist variable. The Glist variable is either a
comma-separated list of process group identifiers or a list of process group
identifiers enclosed in double quotation marks (" ") and separated from one
another by a comma or by one or more spaces. This flag is equivalent to the -g
Glist flag.
-g Glist This flag is equivalent to the -G Glist flag.
-k Lists kernel processes.
-l Generates a long listing. See also the l flag.
-m Lists kernel threads as well as processes. Output lines for processes are
followed by an additional output line for each kernel thread. This flag does not
display thread-specific fields ( bnd, scount, sched, thcount, and tid), unless
the appropriate -o Format flag is specified.
-N Gathers no thread statistics. With this flag ps simply reports those
statistics that can be obtained by not traversing through the threads chain for
the process.
-n NameList Specifies an alternative system name-list file in place of the
default. The operating system does not use the -n flag, since information is
supplied directly to the kernel.
-o Format Displays information in the format specified by the Format variable.
Multiple field specifiers can be specified for the Format variable. The Format
variable is either a comma-separated list of field specifiers or a list of field
specifiers enclosed within a set of " " (double-quotation marks) and separated
from one another by a comma or by one or more spaces, or both.
Each field specifier has a default header. The default header can be overridden
by appending an = (equal sign) followed by the user-defined text for the header.
The fields are written in the order specified on the command line in column
format. The field widths are specified by the system to be at least as wide as
the default or user-defined header text. If the header text is null, (such as if
-o user= is specified), the field width is at least as wide as the default
header text. If all header fields are null, no header line is written.
The following field specifiers are recognized by the system:
args
Indicates the full command name being executed. All command-line arguments are
included, though truncation may occur. The default header for this field is
COMMAND.
bnd
Indicates to which (if any) processor a process or kernel thread is bound. The
default header for this field is BND.
class
Indicates the workload management class assigned to the process. the default
header for this field is CLASS.
comm
Indicates the short name of the command being executed. Command-line arguments
are not included. The default header for this field is COMMAND.
cpu
Determines process scheduling priority. CPU utilization of process or thread,
incremented each time the system clock ticks and the process or thread is
found to be running. The value is decayed by the scheduler by dividing it by 2
once per second. For the sched_other policy, Large values indicate a CPU
intensive process and result in lower process priority whereas small values
indicate an I/O intensive process and result in a more favorable priority.
etime
Indicates the elapsed time since the process started. The elapsed time is
displayed in the following format:
[[ dd-]hh:]mm:ss
where dd specifies the number of days, hh specifies the number of hours, mm
specifies the number of minutes, and ss specifies the number of seconds. The
default header for this field is ELAPSED.
group
Indicates the effective group ID of the process. The textual group ID is
displayed. If the textual group ID cannot be obtained, a decimal
representation is used. The default header for this field is GROUP.
nice
Indicates the decimal value of the process nice value. The default header for
this field is NI.
-o Format (Continued)
pcpu
Indicates the ratio of CPU time used to CPU time available, expressed as a
percentage. The default header for this field is %CPU.
pgid
Indicates the decimal value of the process group ID. The default header for
this field is PGID.
pid
Indicates the decimal value of the process ID. The default header for this
field is PID.
ppid
Indicates the decimal value of the parent process ID. The default header for
this field is PPID.
rgroup
Indicates the real group ID of the process. The textual group ID is displayed.
If the textual group ID cannot be obtained, a decimal representation is used.
The default header for this field is RGROUP.
ruser
Indicates the real user ID of the process. The textual user ID is displayed.
If the textual user ID cannot be obtained, a decimal representation is used.
The default header for this field is RUSER.
scount
Indicates the suspend count for a kernel thread. The default header for this
field is SC.
sched
Indicates the scheduling policy for a kernel thread. The default header for
this field is SCH.
tag
Indicates the Workload Manager application tag. The default header for this
field is TAG. The tag is a character string up to 30 characters long and may
be truncated when displayed by ps. For processes which do not set their tag,
this field displays as a hyphen (-).
thcount
Indicates the number of kernel threads owned by the process. The default
header for this field is THCNT.
-o Format (Continued)
THREAD
Indicates the following fields:
o User name (the uname field)
o Process and parent process IDs for processes (the pid and ppid fields)
o Kernel thread ID for threads (the tid field)
o The state of the process or kernel thread (the S field)
o The CPU utilization of the process or kernel thread (the C field)
o The priority of the process or kernel thread (the PRI field)
o The suspend count of the process or kernel thread (the scount field)
o The wait channel of the process or kernel thread (the WCHAN field)
o The flags of the process or kernel thread (the F field)
o The controlling terminal of the process (the tty field)
o The CPU to which the process or kernel thread is bound (the bnd field)
o The command being executed by the process (the comm field).
Threads are not actually displayed with the -o THREAD flag, unless the -m flag
is also specified.
tid
Indicates the thread ID of a kernel thread. The default header for this field
is TID.
time
Indicates the cumulative CPU time since the process started. The time is
displayed in the following format:
[ dd-]hh:mm:ss
where dd specifies the number of days, hh specifies the number of hours, mm
specifies the number of minutes, and ss specifies the number of seconds. The
default header for this field is TIME.
tty
Indicates the controlling terminal name of the process. The default header for
this field is TT.
user
Indicates the effective user ID of the process. The textual user ID is
displayed. If the textual user ID cannot be obtained, a decimal representation
is used. The default header for this field is USER.
vsz
Indicates, as a decimal integer, the size in kilobytes of the process in
virtual memory. The default header for this field is VSZ.
-o Format (Continued)
Otherwise, multiple fields in a specified format can be displayed by the Format
variable, including field descriptors. If field descriptors are used in the
Format variable, it must be enclosed in double quotation marks (" "). The
following table shows how field descriptors correspond to field specifiers:
Field Field Default
Descriptors Specifiers Headers
%a args COMMAND
%c comm COMMAND
%t etime ELAPSED
%G group GROUP
%n nice NI
%C pcpu %CPU
%r pgid PGID
%p pid PID
%P ppid PPID
%g rgroup RGROUP
%u ruser RUSER
%x time TIME
%y tty TTY
%U user USER
%z vsz VSZ
-p Plist Displays only information about processes with the process numbers
specified for the Plist variable. The Plist variable is either a comma separated
list of process ID numbers or a list of process ID numbers enclosed in double
quotation marks (" ") and separated from one another by a comma or by one or
more spaces, or both.
-t Tlist Displays only information about processes associated with the
workstations listed in the Tlist variable. The Tlist variable is either a comma
separated list of workstation identifiers or a list of workstation identifiers
enclosed in double quotation marks (" ") and separated from one another by a
comma or by one or more spaces, or both.
-U Ulist Displays only information about processes with the user ID numbers or
login names specified for the Ulist variable. The Ulist variable is either a
comma-separated list of user IDs or a list of user IDs enclosed in double
quotation marks (" ") and separated from one another by a comma and one or more
spaces. In the listing, the ps command displays the numerical user ID unless the
-f flag is used; then the command displays the login name. This flag is
equivalent to the -u Ulist flag. See also the u flag.
-u Ulist This flag is equivalent to the -U Ulist flag.
Options
The following options are not preceded by a - (minus sign):
a Displays information about all processes with terminals (ordinarily only the
user's own processes are displayed).
c Displays the command name, as stored internally in the system for purposes of
accounting, rather than the command parameters, which are kept in the process
address space.
e Displays the environment as well as the parameters to the command, up to a
limit of 80 characters.
ew Wraps display from the e flag one extra line.
eww Wraps display from the e flag as many times as necessary.
g Displays all processes.
l Displays a long listing having the F, S, UID, PID, PPID, C, PRI, NI, ADDR, SZ,
PSS, WCHAN, TTY, TIME, and CMD fields.
n Displays numerical output. In a long listing, the WCHAN field is printed
numerically rather than symbolically. In a user listing, the USER field is
replaced by a UID field.
s Displays the size (SSIZ) of the kernel stack of each process (for use by
system maintainers) in the basic output format. This value is always 0 (zero)
for a multi-threaded process.
t Tty Displays processes whose controlling tty is the value of the Tty variable,
which should be specified as printed by the ps command; that is, 0 for terminal
/dev/tty/0, lft0 for /dev/lft0 , and pts/2 for /dev/pts/2.
u Displays user-oriented output. This includes the USER, PID, %CPU, %MEM, SZ,
RSS, TTY, STAT, STIME, TIME, and COMMAND fields.
v Displays the PGIN, SIZE, RSS, LIM, TSIZ, TRS, %CPU, %MEM fields.
w Specifies a wide-column format for output (132 columns rather than 80). If
repeated, (for example, ww), uses arbitrarily wide output. This information is
used to decide how much of long commands to print.
x Displays processes with no terminal.
Some examples from unix man page.
Examples
1. To display all processes, enter:
ps -e -f
2. To list processes owned by specific users, enter:
ps -f -l -ujim,jane,su
3. To list processes that are associated with the /dev/console and /dev/tty1
ttys, enter:
ps -t console,tty/1
4. To list processes not associated with a terminal, enter:
ps -t -
5. To display a specified format with field specifiers, enter:
ps -o ruser,pid,ppid=parent,args
The output is:
RUSER PID parent COMMAND
helene 34 12 ps -o ruser,pid,ppid=parent,args
6. To display a specified format with field descriptors, enter:
ps -o "< %u > %p %y : %a"
The output is:
< RUSER > PID TT : COMMAND
< helene > 34 pts/3 : ps -o < %u > %p %y : %a
7. To display information about processes and kernel threads controlled by the
current terminal , enter:
ps -lm
The output is similar to:
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
240003 A 26 8984 7190 1 60 20 2974 312 pts/1 0:00 -ksh
400 S - - - 1 60 - - - - - -
200005 A 26 9256 8984 15 67 20 18ed 164 pts/1 0:00 ps
0 R - - - 15 67 - - - - - -
8. To display information about all processes and kernel threads, enter:
ps -emo THREAD
The output is similar to:
USER PID PPID TID S C PRI SC WCHAN FLAG TTY BND CMD
jane 1716 19292 - A 10 60 1 * 260801 pts/7 - biod
- - - 4863 S 0 60 0 599e9d8 8400 - - -
- - - 5537 R 10 60 1 5999e18 2420 - 3 -
luke 19292 18524 - A 0 60 0 586ad84 200001 pts/7 - -ksh
- - - 7617 S 0 60 0 586ad84 400 - - -
luke 25864 31168 - A 11 65 0 - 200001 pts/7 - -
- - - 8993 R 11 65 0 - 0 - - -
