System Monitoring (htop, iotop, netstat)

Category: Intermediate Linux Commands
Type: Linux Commands
Generated on: 2025-07-10 03:08:46
For: System Administration, Development & Technical Interviews

---

System Monitoring Cheatsheet (htop, iotop, netstat)

This cheatsheet provides a practical guide to system monitoring using htop, iotop, and netstat on Linux. It’s designed for both system administrators and developers needing to understand system resource usage and network activity.

1. Command Overview

• htop: An interactive process viewer. It’s an improved version of top, offering a more user-friendly interface, color-coding, and mouse support. Use it to identify processes consuming excessive CPU, memory, or causing other performance issues.
• iotop: Monitors disk I/O usage by processes. Useful for identifying processes that are heavily reading from or writing to disk, which can cause slowdowns. Requires sudo in most cases.
• netstat: (Deprecated, but still useful for quick checks. ss is the preferred replacement). Displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. Use it to diagnose network connectivity problems, identify open ports, and understand network traffic.

2. Basic Syntax

• htop:

  htop [options]

• iotop:

  iotop [options]

• netstat: (Prefer ss for new scripts)

  netstat [options]

3. Practical Examples

htop Examples:

• Basic Execution:

  htop

  (Output: Interactive process viewer showing CPU, memory, swap usage, and a list of processes)

• Sorting by CPU Usage: Press F6 then select CPU% and press Enter. Alternatively, use the < and > keys to scroll through sort options.

• Filtering Processes: Press F3 and enter a search term (e.g., nginx).

• Tree View: Press F5 to toggle the process tree view, showing parent-child relationships.

• Killing a Process: Select the process using arrow keys, and press F9 to send a signal (default is SIGTERM).

iotop Examples:

• Basic Execution:

  sudo iotop

  (Output: Interactive display showing disk I/O usage by process)

• Accumulated I/O:

  sudo iotop -ao

  -a: Show accumulated I/O values. -o: Only show processes doing I/O.

• Display Top 10 Processes:

  sudo iotop -n 10

  -n 10: Show only the first 10 processes.

• Only show processes currently doing I/O and update every second:

  sudo iotop -o -d 1

  -d 1: Update every 1 second.

netstat Examples:

• List all listening ports (TCP and UDP):

  netstat -lntpu

  -l: Listening sockets. -n: Numeric addresses (don’t resolve hostnames). -t: TCP connections. -u: UDP connections. -p: Show PID/Program name.

• Show all TCP connections:

  netstat -at

  -a: All connections (listening and established). -t: TCP connections.

• Show routing table:

  netstat -r

  (Output: Displays the kernel’s routing table)

• Show interface statistics:

  netstat -i

  (Output: Displays statistics for each network interface, including packets transmitted/received, errors, and dropped packets)

• Find the process listening on port 80:

  netstat -plnt | grep ":80 "

  grep ":80 " filters the output for lines containing “:80 ” (note the space to avoid matching port 8080).

4. Common Options

htop Options:

• -d <seconds>: Delay between updates (default is 0.5 seconds). Example: htop -d 1 (updates every 1 second).
• -u <user>: Show only processes owned by the specified user.
• -s <column>: Sort by the specified column (e.g., CPU, MEM). This is better accomplished interactively.
• -p <pid>,<pid>,...: Show only the specified processes.
• F2: Setup (configure display, sorting, etc.)
• F3: Search for a process.
• F5: Tree view.
• F6: Sort by column.
• F9: Kill a process.

iotop Options:

• -o: Only show processes doing I/O.
• -b: Batch mode (useful for logging).
• -n <num>: Number of iterations before exiting. Example: iotop -n 5 (runs for 5 iterations).
• -d <seconds>: Delay between updates. Example: iotop -d 2 (updates every 2 seconds).
• -p <pid>: Show only the specified process.
• -u <user>: Show only processes owned by the specified user.
• -a: Show accumulated I/O instead of bandwidth.

netstat Options: (Consider using ss instead)

• -a: All connections (listening and established).
• -t: TCP connections.
• -u: UDP connections.
• -l: Listening sockets.
• -n: Numeric addresses (don’t resolve hostnames). Essential for faster lookups.
• -p: Show PID/Program name. Requires sudo in many cases.
• -r: Routing table.
• -i: Interface statistics.
• -s: Summary statistics for each protocol.
• -c: Continuous output (updates every second).

5. Advanced Usage

htop Advanced:

• Customizing the Display: Press F2 (Setup) to customize the displayed columns, colors, and sorting. This configuration is saved between sessions.
• Using htop in a script: While htop is primarily interactive, you can use htop -b -n 1 to get a single batch output. This is not the intended use case; use ps or top for scripting.
• Killing Multiple Processes: Use F3 to search for a pattern, then use the spacebar to select multiple processes, and finally press F9 to kill them all.

iotop Advanced:

• Logging I/O Usage to a File:

  sudo iotop -b -n 60 -d 1 > iotop.log

  This runs iotop in batch mode for 60 iterations, with a 1-second delay, and saves the output to iotop.log.

• Analyzing I/O Patterns Over Time: Use iotop -b in combination with tools like awk or grep to extract specific information from the log file.

netstat Advanced: (Again, ss is preferred!)

• Finding the number of connections to a specific port:

  netstat -an | grep ".80 " | wc -l

  This counts the number of established connections to port 80. (Replace 80 with the desired port). Be careful with the grep pattern; the space after .80 is important to avoid counting port 8080, etc.

• Identifying the source IP addresses making the most connections to a server:

  netstat -nt | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -n 10

  This command lists the top 10 IP addresses making connections to the server, sorted by the number of connections. This is useful for identifying potential attackers or misconfigured clients.

  • netstat -nt: List numeric TCP connections.
  • awk '{print $5}': Print the 5th field (remote address:port).
  • cut -d: -f1: Cut the port off, leaving only the IP address.
  • sort: Sort the addresses.
  • uniq -c: Count the occurrences of each address.
  • sort -nr: Sort numerically in reverse order (highest count first).
  • head -n 10: Show the top 10 results.

• Monitoring Network Interface Traffic (with watch):

  watch netstat -i

  This command runs netstat -i every 2 seconds (the default watch interval), allowing you to monitor network interface traffic in real-time.

6. Tips & Tricks

• htop Configuration: Customize htop’s display (colors, columns) to suit your workflow. These settings are persistent.
• iotop Permissions: Remember to run iotop with sudo in most cases, as it requires elevated privileges to access I/O statistics.
• netstat vs. ss: ss is generally faster and provides more detailed information than netstat. Start using ss instead of netstat.
• Combining Commands: Use pipes (|) to combine htop, iotop, and netstat with other commands like grep, awk, sort, and wc to filter and analyze the output.
• Use watch for Real-time Monitoring: Wrap commands like netstat -i or vmstat with watch for continuous updates.
• Background iotop: Run iotop -b -d 1 -n <iterations> > iotop.log & to log I/O activity to a file in the background without blocking your terminal. Remember to kill the background process when you’re done.

7. Troubleshooting

• htop not installed: Install it using your distribution’s package manager (e.g., sudo apt install htop on Debian/Ubuntu, sudo yum install htop on CentOS/RHEL).
• iotop not installed: Similar to htop, install it using your distribution’s package manager. You might also need to install the python-psutil package.
• iotop showing incorrect values: Ensure that the kernel module required for I/O accounting is enabled. This is usually enabled by default, but check your kernel configuration.
• netstat not showing process names: You might need to run netstat with sudo to see process names associated with network connections.
• Slow netstat: Avoid using netstat without the -n option, as resolving hostnames can be slow.

8. Related Commands

• top: A basic process viewer. htop is a better alternative.
• ps: Process status. Useful for scripting and finding specific processes.
• vmstat: Virtual memory statistics. Provides information about memory usage, swapping, CPU activity, and I/O.
• iostat: I/O statistics. Provides detailed information about disk I/O.
• free: Displays the amount of free and used memory in the system.
• df: Disk free space. Shows the amount of disk space available on each mounted file system.
• du: Disk usage. Estimates file space usage.
• lsof: List open files. Useful for identifying which processes are using specific files or network sockets. Example: lsof -i :80 (show processes using port 80).
• tcpdump: A powerful packet analyzer. Used for capturing and analyzing network traffic.
• ss: Socket Statistics. A modern alternative to netstat. Provides more detailed information and is generally faster. Example: ss -ltnp (list listening TCP sockets with process names).

By using these commands effectively, you can gain valuable insights into your system’s performance and troubleshoot issues quickly. Remember to consult the man pages for more detailed information about each command and its options. Always be cautious when using commands that could potentially affect system stability, such as killing processes.