Command Line Tools To Monitor Linux Performance

By on September 23, 2024

Monitoring system performance is a crucial task for system administrators, developers, and advanced users. Linux provides a range of command-line tools designed to track resource usage, diagnose issues, and ensure system efficiency. These tools help analyze CPU performance, memory consumption, disk activity, and network traffic, making it easier to detect potential bottlenecks and security risks.

Why Monitoring System Resources in Linux Matters

Monitoring system resources in Linux is critical for stability, performance, and security. Knowing how resources are used is critical whether managing servers, building apps, or executing complex workloads.

  • Boosting Performance: Monitoring tools help identify processes that use too much CPU, memory, or disk I/O. Addressing these issues keeps systems and applications running smoothly;
  • Fixing Problems Faster: If a server slows down, tracking resource usage can reveal whether high CPU load, memory shortages, or disk activity is the cause;
  • Planning for Growth: Regular monitoring provides data trends, making it easier to predict when upgrades or scaling are needed;
  • Enhancing Security: Sudden spikes in network traffic or resource consumption could signal a security threat. Monitoring tools help detect and respond to such risks early.

Now that the importance of system monitoring is clear, the next step is to explore Linux command-line tools that provide real-time performance insights.

Essential Command-Line Tools for Linux Performance Monitoring

Top – Linux Process Monitoring

In Linux and Unix-like operating systems, the top command is a popular tool for tracking system performance.  System administrators frequently rely on it to track real-time system resource usage and manage running processes efficiently.

This command provides a continuously updated list of active processes, displaying key metrics such as CPU usage, memory consumption, swap memory, cache size, buffer size, process IDs (PIDs), users, and associated commands.

Additionally, top highlights processes consuming high CPU and memory resources, making it an essential tool for diagnosing system performance issues. Administrators can use this command to identify resource-intensive tasks and take corrective actions as needed.

To execute the top command, use:

# top

VmStat – Virtual Memory Statistics

The vmstat command offers comprehensive information on system processes, kernel threads, disk activities, I/O activity, interrupts, CPU performance, and virtual memory use.

On the majority of Linux distributions, vmstat is not by default installed. It is part of the sysstat package, which has to be installed independently. Depending on the Linux distribution you are using, use these commands:

$ sudo yum install sysstat      # On Older CentOS/RHEL & Fedora  

$ sudo dnf install sysstat      # On CentOS/RHEL/Fedora/Rocky Linux & AlmaLinux  

$ sudo apt-get install sysstat  # On Debian/Ubuntu & Mint  

$ sudo pacman -S sysstat        # On Arch Linux  

The basic syntax for running vmstat is:

# vmstat

This outputs system performance metrics in a tabular format, including:

procs ———–memory———- —swap– —–io—- -system– ——cpu—–  

 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st  

 1  0  43008 275212   1152 561208    4   16   100   105   65  113  0  1 96  3  0  

This information enables administrators to assess system resource utilization, identify performance issues, and improve overall system efficiency.

Lsof – List Open Files

The lsof command is a useful tool in Linux and Unix-like systems for listing open files and the processes using them. It provides details on disk files, network sockets, pipes, devices, and other active resources.

A common use case for lsof is identifying files that prevent a disk from being unmounted due to ongoing usage. This allows system administrators to determine which processes are accessing specific files and take appropriate actions.

The basic syntax to list open files is:

# lsof

Example output:

COMMAND     PID   TID TASKCMD             USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME

systemd       1                           root  cwd       DIR                8,2      224        128 /

systemd       1                           root  rtd       DIR                8,2      224        128 /

systemd       1                           root  txt       REG                8,2  1567768  134930842 /usr/lib/systemd/systemd

systemd       1                           root  mem       REG                8,2  2714928  134261052 /usr/lib64/libm-2.28.so

systemd       1                           root  mem       REG                8,2   628592  134910905 /usr/lib64/libudev.so.1.6.11

systemd       1                           root  mem       REG                8,2   969832  134261204 /usr/lib64/libsepol.so.1

systemd       1                           root  mem       REG                8,2  1805368  134275205 /usr/lib64/libunistring.so.2.1.0

systemd       1                           root  mem       REG                8,2   355456  134275293 /usr/lib64/libpcap.so.1.9.0

systemd       1                           root  mem       REG                8,2   145984  134261219 /usr/lib64/libgpg-error.so.0.24.2

systemd       1                           root  mem       REG                8,2    71528  134270542 /usr/lib64/libjson-c.so.4.0.0

systemd       1                           root  mem       REG                8,2   371736  134910992 /usr/lib64/libdevmapper.so.1.02

systemd       1                           root  mem       REG                8,2    26704  134275177 /usr/lib64/libattr.so.1.1.2448

systemd       1                           root  mem       REG                8,2  3058736  134919279 /usr/lib64/libcrypto.so.1.1.1c

This output provides key details, including the process name, PID, user, file descriptor (FD), file type, and file path.

Tcpdump – Network Packet Analyzer

The tcpdump command is a widely used command-line tool for network packet analysis. It allows administrators to capture and filter TCP/IP packets transmitted over a network interface in real time.

This tool is valuable for troubleshooting network-related issues, analyzing traffic patterns, and detecting potential security threats. Additionally, tcpdump can save captured packets for later analysis.

To start capturing packets on a specific network interface, run:

# tcpdump -i enp0s3

Example output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes

10:19:34.635893 IP tecmint.ssh > 192.168.0.124.45611: Flags [P.], seq 2840044824:2840045032, ack 4007244093

10:19:34.636289 IP 192.168.0.124.45611 > tecmint.ssh: Flags [.], ack 208, win 11768, options 

10:19:34.873060 IP _gateway.57682 > tecmint.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST

10:19:34.873104 IP tecmint > _gateway: ICMP tecmint udp port netbios-ns unreachable, length 86

10:19:34.895453 IP _gateway.48953 > tecmint.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST

10:19:34.895501 IP tecmint > _gateway: ICMP tecmint udp port netbios-ns unreachable, length 86

10:19:34.992693 IP 142.250.4.189.https > 192.168.0.124.38874: UDP, length 45

10:19:35.010127 IP 192.168.0.124.38874 > 142.250.4.189.https: UDP, length 33

10:19:35.135578 IP _gateway.39383 > 192.168.0.124.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST

10:19:35.135586 IP 192.168.0.124 > _gateway: ICMP 192.168.0.124 udp port netbios-ns unreachable, length 86

10:19:35.155827 IP _gateway.57429 > 192.168.0.124.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST

10:19:35.155835 IP 192.168.0.124 > _gateway: ICMP 192.168.0.124 udp port netbios-ns unreachable, length 86

Netstat – Network Statistics

The netstat command is a useful tool for monitoring network connections, tracking incoming and outgoing traffic, and checking interface statistics. System administrators rely on it to analyze network activity and troubleshoot connectivity issues.

To display active network connections, use:

# netstat -a | more

Example output:

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN

tcp        0      0 tecmint:domain          0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN

tcp        0      0 localhost:postgres      0.0.0.0:*               LISTEN

tcp        0      0 tecmint:ssh             192.168.0.124:45611     ESTABLISHED

tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN

tcp6       0      0 [::]:ssh                [::]:*                  LISTEN

tcp6       0      0 localhost:postgres      [::]:*                  LISTEN

udp        0      0 0.0.0.0:mdns            0.0.0.0:*

udp        0      0 localhost:323           0.0.0.0:*

udp        0      0 tecmint:domain          0.0.0.0:*

udp        0      0 0.0.0.0:bootps          0.0.0.0:*

udp        0      0 tecmint:bootpc          _gateway:bootps         ESTABLISHED

Although netstat has been replaced by the ss command in newer Linux distributions, it remains available in many systems and continues to be a practical option for network analysis.

Htop – Advanced Process Monitoring

htop is an interactive real-time process monitoring tool that offers a more user-friendly alternative to the traditional top command. It provides enhanced features such as an intuitive interface, process management options, and support for vertical and horizontal process views.

To launch htop, use:

# htop

Unlike top, htop offers:

  • A color-coded, interactive display;
  • Easy-to-use shortcut keys for managing processes;
  • Improved navigation for sorting and filtering.

Since htop is not included by default in most Linux distributions, it must be installed using the system package manager:

$ sudo apt-get install htop    # Debian/Ubuntu/Mint  

$ sudo yum install htop        # RHEL/CentOS  

$ sudo dnf install htop        # Fedora/Rocky/AlmaLinux  

$ sudo pacman -S htop          # Arch Linux 

Iotop – Monitor Disk I/O Usage

iotop is similar to top and htop but focuses on tracking disk input/output operations in real time. It helps identify processes consuming high disk read/write operations, making it useful for diagnosing performance bottlenecks.

The iotop command is not pre-installed on most Linux distributions and must be installed using the package manager:

$ sudo yum install iotop      # Older CentOS/RHEL & Fedora  

$ sudo dnf install iotop      # CentOS/RHEL/Fedora/Rocky Linux & AlmaLinux  

$ sudo apt-get install iotop  # Debian/Ubuntu & Mint  

$ sudo pacman -S iotop        # Arch Linux  

To monitor disk I/O usage, run:

# iotop

This provides a real-time view of processes performing disk operations, helping system administrators track down high disk usage.

Iostat – Input/Output Performance Monitoring

The iostat command gathers and displays data about system input and output actions. It is frequently used to evaluate the performance of storage devices, including local disks and network-mounted drives such as NFS.

iostat is part of the sysstat package, which needs to be installed separately:

$ sudo yum install sysstat      [On Older CentOS/RHEL & Fedora]

$ sudo dnf install sysstat      [On CentOS/RHEL/Fedora/Rocky Linux & AlmaLinux]

$ sudo apt-get install sysstat  [On Debian/Ubuntu & Mint]

$ sudo pacman -S sysstat        [On Arch Linux]

To check system I/O statistics, use:

# iostat

Linux 4.18.0-193.el8.x86_64 (tecmint)   04/05/2021      _x86_64_        (1 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle

           0.21    0.03    0.59    2.50    0.00   96.67

Device             tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn

sda               3.95        83.35        89.63    1782431    1916653

IPTraf – Real-Time Network Monitoring

IPTraf is a real-time network monitoring program for Linux that runs from the console. It gives precise information on the IP traffic flowing over the network, such as TCP flag data, ICMP statistics, TCP/UDP traffic splits, and connection packet counts.

Additionally, it collects interface-specific data such as TCP, UDP, and ICMP activity, non-IP traffic, IP checksum errors, and overall network usage statistics.

Psacct or Acct – User Activity Monitoring

The psacct and acct utilities track user activity on a system in real time. These background daemons log user commands, session durations, and resource consumption, providing administrators with a detailed overview of system usage.

These tools help in auditing user activity by recording commands executed, resource usage patterns, and session durations, making them valuable for monitoring and system security.

Monit – Linux Process and Services Monitoring

Monit is a free, open-source, web-based process supervision tool that automatically monitors and controls system processes, applications, files, directories, permissions, checksums, and filesystems.

It monitors services like Apache, MySQL, Mail, FTP, ProFTP, Nginx, SSH, and so on. The system status can be viewed from the command line or using its own web interface.

NetHogs – Per-Process Network Bandwidth Monitoring

NetHogs is a small, open-source software that monitors real-time network utilization for all processes on a system. NetHogs, like the top command for CPU monitoring, offers information on how much bandwidth specific apps or programs consume.

To monitor network activity per process, run:

# nethogs

Iftop – Real-Time Network Bandwidth Monitoring

Iftop is a terminal-based utility that displays real-time network bandwidth utilization. It continually displays information on traffic traveling via a certain network interface, including both source and destination hosts.

Similar to top for CPU monitoring, iftop is designed specifically for tracking network usage. It helps administrators identify bandwidth-heavy connections and analyze network performance.

To start monitoring bandwidth usage, use:

# iftop

Monitorix – System and Network Monitoring

Monitorix is a lightweight monitoring tool designed for Linux and Unix servers. It continuously collects system and network performance data, displaying the results in graphical format via its built-in HTTP web server.

This tool tracks various metrics, including CPU load, memory usage, disk health, network activity, active system services, mail server statistics (Postfix, Sendmail, Dovecot), and MySQL performance.

Arpwatch – Ethernet Activity Monitoring

Arpwatch is a tool designed to monitor changes in MAC and IP address mappings on an Ethernet network. It logs any modifications to IP-MAC address pairs, including timestamps, and can send email notifications to administrators when a new pairing is detected or an existing one changes.

This utility is particularly useful for identifying ARP spoofing attacks and tracking network activity in real time.

Suricata – Network Security Monitoring

Suricata is an open-source network security solution that functions as both an intrusion detection system (IDS) and an intrusion prevention system (IPS). It operates on Linux, FreeBSD, and Windows, offering deep packet inspection, real-time traffic analysis, and automated threat detection.

Developed by the Open Information Security Foundation (OISF), Suricata provides high-performance monitoring for identifying potential security threats and preventing unauthorized access.

VnStat PHP – Web-Based Network Bandwidth Monitoring

VnStat PHP is a web-based interface for vnStat, a widely used network traffic monitoring tool. It presents network usage statistics in an easy-to-read graphical format, displaying real-time and historical data.

The tool provides insights into total incoming and outgoing traffic, with reports categorized by hour, day, month, and a complete summary.

Nagios – Network and Server Monitoring

Nagios is a widely used monitoring system that helps administrators track network and server performance. It enables real-time monitoring of Linux and Windows servers, network devices such as switches and routers, and other infrastructure components.

The system provides alerts when potential issues arise, allowing administrators to address problems before they impact business operations. With centralized monitoring, Nagios helps detect performance degradation, system failures, and connectivity issues.

Nmon – Comprehensive Linux Performance Monitoring

Nmon (Nigel’s Performance Monitor) is a utility designed to track key Linux system resources, including CPU usage, memory, disk activity, network performance, top processes, NFS activity, and kernel statistics.

It operates in two modes:

  • Online Mode – Displays real-time performance data for live monitoring;
  • Capture Mode – Stores system performance metrics in CSV format for later analysis.

This tool is useful for both immediate system diagnostics and long-term performance tracking.

Collectl – All-in-One System Monitoring

Collectl is a command-line-based monitoring utility that provides detailed insights into various system resources such as CPU usage, memory, network activity, inodes, processes, TCP connections, sockets, and NFS performance.

With its broad functionality, Collectl offers a flexible way to track system performance in real time, making it a valuable tool for diagnosing system behavior and detecting performance issues.

Free – Check Memory Usage in Linux

The free command provides a snapshot of system memory usage. To display results in MB or GB, use the -m or -g option, respectively.

free -h

This provides a human-readable format, making it easier to analyze available, used, and free memory.

Du – Analyze Directory Space Usage

The du command helps assess disk space usage for a specific directory and its subdirectories. Adding the -h option formats the output in a human-readable way.

du -sh /path/to/directory

This command is useful for identifying directories consuming significant storage.

Mpstat – Monitor Multi-Processor CPU Usage

The mpstat command tracks CPU usage across multiple processors. Running it with a time interval provides ongoing updates.

mpstat -P ALL 5

This displays usage statistics for each processor core, helping diagnose CPU load distribution.

Nmon – Interactive System Performance Monitoring

nmon is an interactive tool for real-time monitoring of CPU, memory, network, and disk usage. Press different keys to move through various system statistics.

nmon

This tool provides a comprehensive overview of system performance, aiding in diagnostics and optimization.

Ps – View and Manage Active Processes in Linux

The ps command is a built-in utility in Linux used to display information about currently running processes. It allows users to view system processes based on different filters, such as user ownership, CPU or memory usage, and more. The output can also be refined using the grep command to search for specific processes.

To display processes running in the current terminal session:

ps

Example Output:

   PID TTY          TIME CMD

162611 pts/0    00:00:00 bash

166207 pts/0    00:00:00 ps

To list all active processes across all terminal sessions:

ps aux

Example Output:

root       18112  0.0  0.0   2472    76 ?        S<   Nov20   0:06 /usr/sbin/atopacctd

monitor+   47565  0.0  1.1  82208 11272 ?        Ss   Nov20   0:06 monitorix-httpd listening on 8080

root       69049  0.0  0.4  25260  4816 ?        Ss   Nov21   0:00 /lib/systemd/systemd-udevd

To sort processes by memory usage in descending order:

ps aux –sort=-%mem

Other sorting options include:

-%cpu → Sort by CPU usage (descending)

-%mem → Sort by memory usage (descending)

+rss → Sort by real-time memory consumption

+start_time → Sort by process start time (oldest first)

+user → Sort by user ownership

To display processes started by the root user:

ps -u root

For an extended view including User ID, Process ID, CPU usage, and more:

ps -f

To explore more options and features of the ps command:

man ps

This command provides extensive documentation on how to monitor and manage processes effectively.

Uptime – Monitor System Uptime and Load

The uptime command provides information about how long the system has been running, the number of logged-in users, and system load averages. It helps track system availability, CPU idle time, and the duration since the last reboot. Monitoring website uptime is equally important for ensuring continuous online availability and preventing downtime-related disruptions.

To verify the installed version of uptime:

uptime -V

Example Output:

uptime from procps-ng 4.0.2

To display uptime details, including logged-in users and system load averages:

uptime

Example Output:

01:29:57 up 7:32, 1 user, load average: 0.00, 0.02, 0.03

For a simplified view of uptime duration:

uptime -p

Example Output:

up 7 hours, 32 minutes

To see when the server was last rebooted:

uptime -s

Example Output:

2025-01-12 17:57:53

Strace – Trace System Calls and Signals

strace is a diagnostic tool that tracks system calls and signals used by a process. It allows monitoring of kernel-level interactions, making it useful for debugging and troubleshooting performance issues.

If strace is not installed, use the following commands based on the Linux distribution:

# Debian/Ubuntu

sudo apt install strace  

# CentOS/RHEL

sudo dnf install strace  

To check the installed strace version:

strace –version

Example Output:

strace — version 6.1

For example, to monitor system calls used by apache2:

sudo strace apache2

Example Output:

mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd3919fa000

socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_ROUTE) = 3

bind(3, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 0

To trace an active process, use the -p option followed by the process ID:

sudo strace -p 1121

Access the strace Manual

For additional options and usage details:

man strace

This provides comprehensive documentation on tracing system calls for debugging and performance analysis.

Conclusion

Monitoring system performance in Linux is essential for optimizing efficiency, troubleshooting issues, and maintaining security. The command-line tools covered in this guide provide insights into CPU usage, memory consumption, disk activity, and network performance. Regular use of these utilities helps prevent bottlenecks, detect security threats, and ensure stable system operations, making them valuable for administrators and advanced users.

Posted in blog, Monitoring

Alex Carter

Alex Carter

Alex Carter is a cybersecurity enthusiast and tech writer with a passion for online privacy, website performance, and digital security. With years of experience in web monitoring and threat prevention, Alex simplifies complex topics to help businesses and developers safeguard their online presence. When not exploring the latest in cybersecurity, Alex enjoys testing new tech tools and sharing insights on best practices for a secure web.