25 Linux PS Command Examples,every System Admin Must Know

Every Program,which run’s on linux system, we call it as process.Each process will have its’
own unique process id. We can find out which process currently it is running on the system using
“PS” command.

With “PS” command,we can find out how many resources it is using like memory and
cpu.Sometimes,few processes will take more amount of resources which leads to System slow
Problems.One can identify these kind of problems using the “PS” command.

25 Linux PS Command Examples,every System Admin Must Know

Let’s go by usage examples of “PS” Command.

Usage 1: PS command without options.

SLTMachine: # ps

PID TTY TIME CMD

6350 pts/2 00:00:00 ps

25025 pts/2 00:00:00 su

25026 pts/2 00:00:00 bash

It is basic usage of ps,it displays information about PID ( process id),TTY(machine where it is
executed),TIME(how long it is running),CMD(What command it is running).

Usage 2:Print every process on the linux.

SLTMachine: # ps -e

PID TTY TIME CMD

1 ? 00:00:02 init

2 ? 00:00:09 migration/0

3 ? 00:00:00 ksoftirqd/0

Usage 3:Print every process launched by the user “srinivas” on the machine.

SLTMachine: # ps -elf -u root

F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD

4 S root 1 0 0 76 0 - 183 410374 2016 ? 00:00:02 init [5]

1 S root 2 1 0 -40 - - 0 migrat 2016 ? 00:00:09 [migration/0]

1 S root 3 1 0 94 19 - 0 ksofti 2016 ? 00:00:00 [ksoftirqd/0]

1 S root 4 1 0 -40 - - 0 migrat 2016 ? 00:00:03 [migration/1]

Usage 4:Print every process launched by the group called “administrators” on the
machine.

SLTMachine: # ps -elf -g administrators

It will give the information about processes launched by the group “administrators” only.
Usage 5: print only name of the pid 5678

SLTMachine ## ps -p 5678 -o comm=

Usage 6:Print process launched by it’s process id on the machine.

SLTMachine # ps -f -p 6800

UID PID PPID C STIME TTY TIME CMD

root 6800 1 0 2016 ? 00:00:03 gnome-power-manager --sm-disable

Each process is identified by its unique id.with the above command,i am trying find out the
process which has process id – 6800

Usage 7:Print process launched by it’s parent process id on the machine.

SLTMachine # ps -f --ppid 1

UID PID PPID C STIME TTY TIME CMD

root 2 1 0 2016 ? 00:00:09 [migration/0]

root 3 1 0 2016 ? 00:00:00 [ksoftirqd/0]

root 4 1 0 2016 ? 00:00:03 [migration/1]

root 5 1 0 2016 ? 00:00:00 [ksoftirqd/1]

root 6 1 0 2016 ? 00:00:02 [migration/2]

Every process will create sub process,it it is required.Like root process will kick start all the
other applications on the machine.

In the above command,i am trying to find out processes launched by root process 1.

Usage 8:Print process launched by it’s name id on the machine.

SLTMachine # ps -C virus

I am trying to findout the process called “virus” here.

Usage 9: sort process launched by it’s cpu on the machine

SLTMachine # ps aux --sort=-pcpu

(or)

SLTMachine # ps aux --sort=+pcpu

(Here +/- denotes the ascending or descending order)

Usage 10: sort process launched by it’s memory on the machine

SLTMachine # ps aux --sort=-pmem

(or)

SLTMachine # ps aux --sort=+pmem

(Here +/- denotes the ascending or descending order)

Usage 11: Display threads of a process

SLTMachine # ps -p 2230 -L

Here ‘-L’ gives information of of the threads of a process id – 2230

Usage 12: Display threads of a process

SLTMachine #watch -n 1 'ps -e -o pid,ppid,uname,cmd,pmem,pcpu --sort=-pmem,-pcpu | head -

15'

Every 1.0s: ps -e -o pid,ppid,uname,cmd,pmem,pcpu --sort=-pmem,-pcpu | head -15 Sun Mar 12

09:27:34 2017

PID PPID USER CMD %MEM %CPU

17615 25026 root watch -n 1 ps -e -o pid,ppi 0.0 0.5

17215 25026 root watch -n 1 ps -e -o pid,una 0.0 0.2

4649 4641 root /usr/X11R6/bin/X :0 -audit 0.3 0.0

236 15 root [pdflush] 0.0 0.0

6703 1 root /opt/gnome/lib/gnome-applet 0.3 0.0

237 15 root [pdflush] 0.0 0.0

4369 1 root /usr/sbin/nscd 0.0 0.0

3625 1 root /usr/sbin/vmtoolsd 0.0 0.0

5278 1 root /opt/CAB/SharedComponents/Sy 0.0 0.0

1234 15 root [reiserfs/1] 0.0 0.0

1236 15 root [reiserfs/3] 0.0 0.0

21 15 root [kblockd/0] 0.0 0.0

4401 1 root zmd /usr/lib/zmd/zmd.exe -- 0.0 0.0

5655 1 root /opt/CAB/SharedComponents/dt 0.9 0.0

The above command output refresh for every one second and it’s display the top 5 rows.Most
useful command for administrators.

Usage 13: Display parent process and child process relation

SLTMachine # ps -f --forest -C java

the above command search for process called java construct a tree

Usage 14: find process information of all the process id’s available in set of process ids.

SLTMachine # ps -p 2001,2002,3001

Above command display’s information about the process id’ is equal to 2001,2002 and 3001

Usage 15: give different names to existing ps column names.

SLTMachine # ps -e -o
pid,uname=USERNAME,pcpu=CPU_CONSUMPTION,pmem=MEMORY,comm=COMMAN
D

PID USERNAME CPU_CONSUMPTION MEMORY COMMAND

1 root 0.0 0.0 init

2 root 0.0 0.0 migration/0

3 root 0.0 0.0 ksoftirqd/0

4 root 0.0 0.0 migration/1

5 root 0.0 0.0 ksoftirqd/1

6 root 0.0 0.0 migration/2

7 root 0.0 0.0 ksoftirqd/2

Usage 16: display elapsed time of processes.

SLTMachine # ps -e -o pid,etime

PID ELAPSED

1 75-13:24:23

2 75-13:24:21

3 75-13:24:21

4 75-13:24:21

5 75-13:24:21

how long process has been running for

Usage 17: display all the process information.

SLTMachine ## ps ax

( Or )

SLTMachine ## ps -ef

we can use either of the command to display all the processes which are running.

Usage 18: find out whether given process is running or not

SLTMachine ## ps -elf|grep "process name"

Above command searches for the process in the list of all available processes.

Usage 19: print security information of the process id’s

SLTMachine## ps -eo pid,user,args

Please run the above command,if you want to know,who is logged into the machine and what is
the process id of the process which he launched.

Usage 20: Print only processes associated only to this terminal

SLTMachine## ps T

Usage 21: Print Full listing iinformation of the processes

SLTMachine## ps -ef

Usage 22: Print Full listing information of the processes using page by page using “more”

SLTMachine## ps -ef | more

Usage 23: Print Full listing information of the processes using page by page using “less”

SLTMachine## ps -ef | less

Usage 24: Print process IDs of syslogd

SLTMachine## ps -C syslogd -o pid=

Usage 25: Print highest CPU utilisation in ascending order

SLTMachine## ps -aux --sort -pcpu | less

Common Terms Of Hacking World:

1#DDoS: DDoS means Distributed Denial of Service. This is a type of DOS

attack in which multiple compromised systems are used and these systems
are often infected with a Trojan. All these infected systems select a target
and cause a Denial of Service (DoS) attack.

2# VPS: It stands for Virtual private server (VPS) . It is a virtual machine

that is sold as a service by an Internet hosting service. A VPS generally runs
its own copy of an operating system, and the customers have superuser-
level access to that operating system instance, so they can install almost
any software that runs on that OS.

3# SE: Social engineering is an attack vector that relies heavily on human

interaction and often involves tricking people into breaking normal security
procedures.

4# HTTP: The Hypertext Transfer Protocol (HTTP) is an application protocol

for collaborative, distributed, hypermedia information systems. HTTP is the
basis of data communication for the World Wide Web. The part Hypertext is
a structured text that makes use of logical links (hyperlinks) between nodes
containing text.

Also read: Differences between Http and Https.

5# SSH: Secure Shell( SSH) is a cryptographic i.e, encrypted network

protocol that operates at layer 7 of the OSI Model. It allows remote login
and other network services to operate in a secure way over an unsecured
network. In simple words, SSH is used to connect with Virtual Private
Servers.

6# FTP: The FTP or File Transfer Protocol is a standard network protocol

that is used to transfer files between a client and server using a computer
network.

7# XSS (CSS): Cross-site scripting or XSS is a type of computer security

vulnerability usually found in web applications. This vulnerability allows
hackers to inject client-side script into web pages which are viewed by other
users.

Also read: What is an XSS Attack and how Does it Work ?

8# Script Kiddie: A Skiddie or Script Kiddie is an unskilled individual who
uses programs or scripts developed by other hackers to attack networks and
computer systems even to deface websites.

8# VPN: A Virtual Private Network or VPN helps in extending a private

network across a public network, such as Internet. It allows the users to
send and receive data across public or shared networks just like their
computing devices are directly connected to the private network.
Hence this benefit from the security, functionality and management policies
of the private network.

10# Nix: Nix is a very powerful package manager for Linux and other Unix
based systems that make package management reproducible and reliable. It
provides side-by-side installation of multiple versions of a package, atomic
upgrades and rollbacks, easy setup of build environments and multi-user
package management.

11# SQL: Structured Query Language or SQL is a special-purpose

programming language designed for managing data contained in a relational
database management system (RDBMS), or even for stream processing in a
relational data stream management system or RDSMS.

12# FUD: Fully undetectable or FUD in short, can stand for data that had
been encrypted, making it appear to be random noise. This term is used in
hacker circles to refer something as a clean software to many anti-viruses
but still contain some kind of hacking tool inside it.

13# LOIC/HOIC: The Low Orbit /High Orbit Ion Cannon, often abbreviated
to LOIC/HOIC. It is an open source denial-of-service attack and network
stress testing application written in BASIC and is designed to attack as many
as 256 URLs at a time.

14# Trojan: A Trojan or Trojan horse is a type of malware that disguises

itself as a legitimate software. these Trojans can be employed by hackers
and cyber-thieves trying to gain access to users’ systems. Users are typically
tricked into loading and executing Trojans on their systems.

15# Botnet: A botnet (also known as a zombie army) is a number of

Internet computers that, although their owners are unaware of it, have been
set up to forward transmissions (including spam or viruses) to other
computers on the Internet.
16# SQL Injection: SQL injection is a famous code injection technique,
commonly to attack data-driven applications.In this attack, malicious SQL
statements are inserted into an entry field for execution.

Also read: SQL Injection Tutorial With Havij and Exploit SQL Injection Using
Sqlmap in kali linux.

17# Root: Root is the Highest permission level on a computer that allows
the user to modify anything on the system without a single restriction.

18# Warez: Warez is copyrighted works distributed without fees or

royalties, and may be traded, in general, violation of copyright law. Warez
are generally unauthorized releases by organized groups, as opposed to file
sharing between friends or large groups of people with similar interest using
a darknet. Warez are not usually commercial software counterfeiting.

19# White Hat Hacker: A white hat hacker is a computer security

specialist ( ethical hacker ) who breaks into secured systems and networks
to test and assess their level of security. These are the good guys in the
hacking community and use their skills and knowledge to to improve security
by exposing vulnerabilities before a malicious hacker (also known as black
hat hackers) detects and exploits them.

20# Black Hat Hacker: A black hat hacker is an individual with

very good computer knowledge and with a sole purpose to bypass or breach
internet security for malicious reasons. Black hat hackers are also known as
dark-side hackers or crackers. These are the guys with whom White hat
hackers have to fight all the time.

21# Grey Hat Hacker: The term Grey Hat hacker refers to a computer
hacker or computer security expert who sometimes violate laws or typical
ethical standards, for personal purposes but don’t have the malicious
intentions like a typical black hat hacker.

Also read: Various Types Of Hackers – Explained

22# Rootkit: A rootkit is a clandestine computer program designed to

provide continued privileged access to a computer while actively hiding its
presence. The term rootkit is a connection of the two words “root” and “kit”.
This kind of virus can be easily removed by booting the computer in safe
mode.
23# Ring0: Very hard to remove and very rare in the wild, these can
require you to format, it’s very hard to remove certain ring0 rootkits without
safe mode.

24# IP Grabber: IP Grabber is a link that grabs victim’s IP when they visit
it the particular web address.

25# Malware: ‘Malware’ is an umbrella term used to refer to a variety of

forms of hostile or intrusive software, including computer viruses, worms,
trojan horses, ransomware, spyware, adware, scareware, and other
malicious programs. It can take the form of executable code, scripts, active
content, and other software.

26# Phreak: Phreak is a slang term coined to describe the activity of a

culture of people who experiment with, explore, or study,
telecommunication systems. Phreaker, phreak, or phone phreak are names
commonly for and by individuals who participate in phreaking.

27# DOX: Doxing or doxxing, is the Internet-based practice of researching

and broadcasting personally identifiable information about an individual. The
methods employed to acquire this information include searching publicly
available databases and social media websites (like Facebook), hacking, and
social engineering. It is closely related to internet vigilantism and
hacktivism. Doxing may be carried out for various reasons, including to aid
law enforcement, business analysis, extortion, coercion, harassment, online
shaming and vigilante justice.

28# Worm: A computer worm is a standalone malware computer program

that replicates itself in order to spread to other computers. Often, it uses a
computer network to spread itself, relying on security failures on the target
computer to access it. Unlike a computer virus, it does not need to attach
itself to an existing program.

29# Deface: A website deface is an attack on a site that changes the

appearance of the site or a certain web page or technically when a hacker
replaces the index file with their own one.

30# Keylogger: Keylogger is a computer program that records every

keystroke made by a computer user, especially in order to gain fraudulent
access to passwords and other confidential information.
31# RAT: A remote administration tool (RAT) is a piece of software that
allows a remote “operator” to control a system as if he has physical access
to that system. While desktop sharing and remote administration have many
legal uses, “RAT” software is usually associated with criminal or malicious
activity.