process_investigation
processes investigation
Please see top CPU consumers or top RAM consumers for commands to find the offending processes
Example Process:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND apache 1234 99.0 40.6 4704844 400260 ? S 11:08 0:08 /usr/sbin/httpd
Investigating a PID
First we need to find out if the process is an Established connection (replace 1234 with the PID):
netstat -pant | grep 1234
Process 'State' Investigation
An important column to look into is the 'State' column. This tells you what the process is currently doing:
State | Definition |
---|---|
D | uninterruptible sleep (usually IO) |
R | running or runnable (on run queue) |
S | interruptible sleep (waiting for an event to complete) |
T | stopped, either by a job control signal or because it is being traced |
X | dead (should never be seen) |
Z | defunct (“zombie”) process, terminated but not reaped by its parent |
< | high-priority (not nice to other users) |
N | low-priority (nice to other users) |
L | has pages locked into memory (for real-time and custom IO) |
s | is a session leader |
l | is multi-threaded (using CLONE_THREAD, like NPTL pthreads do) |
+ | is in the foreground process group |
Checking Process Activity
Once you have a process to investigate, we will need to find out if the process is alive/active.
We can run an strace command for a certain amount of time for this.
The command below runs strace for 3 seconds and then terminates the command. Replace 1234 with the PID number you are investigating:
timeout 5 strace -p 1234If there is some for out output on the screen, this means the process is active.
If there is nothing on the screen except something similar to the following then the process is not currently active:
Process 1 attached <detached ...>If the process is not active and the output from the netstat command does not return anything then the process could be dead.
process_investigation.txt · Last modified: 2024/05/23 07:26 by 127.0.0.1