In parts 1 and 2 of this series, I introduced the ps command and provided tips on how to harness some of its many options to find out which processes are running on your system.
Now, picture a scene in which you want to check for the parents of a process, which I’ll look at more closely in a minute. You can achieve this by using this command:
# ps --ppid 21201
This shows us the processes with a parent process of that ID. In other words we can pinpoint processes that are children of process “21201”in this case.
Having said earlier that usually case-sensitivity shouldn’t cause too many headaches I’m going to completely contradict myself with a few examples of why that statement isn’t always true.
Try running my favorite ps command again; its abbreviated output is shown below:
# ps -ef UID PID PPID C STIME TTY TIME CMD apache 23026 22856 0 Feb26 ? 00:00:00 /usr/sbin/apache2
Now try running the full fat version by using an uppercase “F”:
# ps -eF
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
apache 23026 22856 0 44482 3116 0 Feb26 ? 00:00:00 /usr/sbin/apache2
The differences are that the latter includes SZ, RSS and PSR fields. The first two are memory related, whereas PSR shows which CPU the process is using. For more information, there’s lots more in the manual:
# man ps
Moving on, we can look at another alternative to the “-Z” option, which we briefly touched on before:
# ps -efM
unconfined_u:system_r:apache2_t:s0 apache 23031 22856 0 Feb26 ? 00:00:00 /usr/sbin/apache2
A useful BSD throwback. I quite like the look of it — possibly one of the shortest commands known to mankind. Have a look at Listing 1.
# ps l
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 1414 1 20 0 4064 584 n_tty_ Ss+ tty1 0:00 /sbin/mingetty /dev/tty1
4 0 1416 1 20 0 4064 588 n_tty_ Ss+ tty2 0:00 /sbin/mingetty /dev/tty2
4 0 1418 1 20 0 4064 584 n_tty_ Ss+ tty3 0:00 /sbin/mingetty /dev/tty3
4 0 1420 1 20 0 4064 580 n_tty_ Ss+ tty4 0:00 /sbin/mingetty /dev/tty4
4 0 1426 1 20 0 4064 584 n_tty_ Ss+ tty5 0:00 /sbin/mingetty /dev/tty5
4 0 1430 1 20 0 4064 588 n_tty_ Ss+ tty6 0:00 /sbin/mingetty /dev/tty6
4 0 9896 9558 20 0 191392 2740 poll_s S pts/1 0:00 sudo -i
4 0 9899 9896 20 0 110496 1960 wait S pts/1 0:00 -bash
4 0 10776 9899 20 0 108104 980 - R+ pts/1 0:00 ps l
Listing 1: Shows us the “long formatted” output, which can be embellished with other options, harking from BSD origins.
Clarity
Sometimes even the mighty ps command struggles to precisely refine its output. Imagine a scenario where Java processes are filling up the process table, and all you want to do is find their parent so that you can stop (or “kill”) the process abruptly. To summarize your information, you can use the non-hyphenated “S” switch:
# ps S
This helps you to find a parent when its child processes only live for a short period of time.
What about when your Process Table is brimming with processes, and you need to list a number of process PIDs at once? As you’d expect, there are different ways to achieve this — as shown in Listing 2 — when we run the following command:
# ps -p "1 2" -p 3,4 PID TTY TIME CMD 1 ? 00:00:03 init 2 ? 00:00:01 kthreadd 3 ? 00:00:01 migration/0 4 ? 00:00:20 ksoftirqd/0
Listing 2: We can pick and choose the PIDs that we view in a number of ways.
More to Come
Next time, I’ll look at how the well-considered Unix principle of “everything is a file” extends to the Process Table, and I’ll show how to uncover the wealth of information that can be found in the “procfs” pseudo-filesystem.
Chris Binnie is a Technical Consultant with 20 years of Linux experience and a writer for Linux Magazine and Admin Magazine. His new book Linux Server Security: Hack and Defend teaches you how to launch sophisticated attacks, make your servers invisible and crack complex passwords.
