Skip to content

Linux Processes

Processes are running programs on the system , each with a unique PID , parent process , and resource allocation. Understanding processes is critical for incident response and system administration

Viewing Processes

ps aux                           # All processes (BSD style)
ps -ef                           # All processes (standard)
ps auxf                          # Process tree
top                              # Real-time monitoring (hit 'q' to quit)
htop                             # Better top (install if needed)
pstree                           # Process hierarchy tree

Essential ps Columns

  • USER - Who owns the process
  • PID - Process ID
  • %CPU / %MEM - Resource usage
  • VSZ / RSS - Virtual and resident memory
  • STAT - Process state (R=running , S=sleeping , Z=zombie)
  • COMMAND - Command that started it

Process Control

kill PID                         # Terminate process (SIGTERM)
kill -9 PID                      # Force kill (SIGKILL)
killall process_name             # Kill all by name
pkill pattern                    # Kill by pattern

Signals

Common signals: 1 (HUP - reload) , 2 (INT - Ctrl+C) , 9 (KILL - force) , 15 (TERM - graceful)

Background and Foreground

command &                        # Run in background
Ctrl+Z                           # Suspend foreground process
jobs                             # List background jobs
fg %1                            # Bring job 1 to foreground
bg %1                            # Run job 1 in background
nohup command &                  # Immune to hangups

Process Priority

nice -n 10 command              # Run with lower priority
renice -n 5 -p PID              # Change priority of running process

Monitoring

watch -n 1 'ps aux | grep process'  # Watch process every second
lsof -i :80                      # What's listening on port 80?
lsof -p PID                      # Files opened by process
fuser 80/tcp                     # PID using port 80

System Call Tracing

strace -p PID                    # Trace syscalls of running process
strace -e openat command        # Trace only open syscalls
strace -o trace.log command     # Save trace to file
ltrace command                   # Trace library calls

Use strace when you need to understand what a binary actually does -- it reveals every file it opens , every network connection it makes , every argument it passes

Terminal Multiplexers

tmux new -s session_name        # Create session
tmux detach                      # Detach (Ctrl+b d)
tmux attach -t session_name     # Reattach
screen -S session_name           # Create screen session
screen -r session_name           # Reattach screen