How to Use Top, Netstat, du, and Other Tools to Monitor Server Resources
Server monitoring might seem like the boring part of sysadmin work, but trust me – it’s the difference between sleeping peacefully and getting 3 AM panic calls about crashed services. Whether you’re managing a single VPS or a fleet of dedicated servers, knowing how to effectively monitor CPU usage, memory consumption, disk space, and network activity is absolutely crucial. This guide will walk you through the essential command-line tools that every server admin should master: top, netstat, du, and several other incredibly useful utilities that will give you deep insights into what’s happening under the hood of your systems.
How Server Resource Monitoring Works
Server resource monitoring operates through the Linux kernel’s built-in interfaces that expose system statistics via special filesystems like /proc and /sys. When you run commands like top or netstat, you’re essentially reading and interpreting data from these kernel interfaces in a human-readable format.
The monitoring process works on several levels:
- Process-level monitoring – tracking individual applications and their resource consumption
- System-level monitoring – overall CPU, memory, and I/O statistics
- Network monitoring – connection states, traffic patterns, and port usage
- Storage monitoring – disk usage, I/O operations, and filesystem health
Most monitoring tools update their information in real-time by periodically polling these kernel interfaces. The frequency of updates can usually be configured, though more frequent polling does consume additional system resources.
Essential Monitoring Tools Setup Guide
The beauty of these tools is that most come pre-installed on virtually every Linux distribution. However, let’s make sure you have everything you need and know how to configure them properly.
Installing Missing Tools
On Ubuntu/Debian systems:
sudo apt update
sudo apt install htop iotop nethogs sysstat tree ncduOn CentOS/RHEL/AlmaLinux:
sudo yum install epel-release
sudo yum install htop iotop nethogs sysstat tree ncduBasic Configuration
Enable sysstat data collection (this gives you historical statistics):
sudo systemctl enable sysstat
sudo systemctl start sysstatCreate a simple monitoring script for regular checks:
#!/bin/bash
# Quick system health check
echo "=== System Health Check $(date) ==="
echo "Load Average:"
uptime
echo -e "\nMemory Usage:"
free -h
echo -e "\nDisk Usage:"
df -h | grep -E '^/dev'
echo -e "\nTop 5 CPU Processes:"
ps aux --sort=-%cpu | head -6Deep Dive into Essential Tools
The top Command and Its Enhanced Cousin htop
The classic top command is your first line of defense for identifying resource-hungry processes. However, htop provides a much more user-friendly interface with color coding and mouse support.
Basic top usage:
# Standard top with 2-second updates
top -d 2
# Show processes for specific user
top -u www-data
# Batch mode for scripting (useful for logging)
top -b -n 1 | head -20Advanced htop shortcuts that’ll save your sanity:
- F6 – Sort by different columns (CPU, Memory, Time)
- F4 – Filter processes by name
- F5 – Tree view (shows parent-child relationships)
- F9 – Kill processes directly from the interface
- Shift+H – Show/hide threads
Here’s a pro tip: You can customize htop’s display by pressing F2 to access setup. I always enable the detailed CPU meter and add columns for PPID and PGRP when troubleshooting complex application stacks.
Network Monitoring with netstat and Modern Alternatives
While netstat is being phased out in favor of ss (socket statistics), both are incredibly valuable for understanding network connections and identifying potential issues.
Essential netstat commands:
# Show all listening ports
netstat -tuln
# Show active connections with process names
netstat -tulnp
# Display routing table
netstat -rn
# Show network interface statistics
netstat -iThe modern ss command (faster and more feature-rich):
# Equivalent to netstat -tuln
ss -tuln
# Show processes using ports
ss -tulnp
# Display only TCP connections in ESTABLISHED state
ss -t state established
# Show connections to specific port
ss -tuln sport :80For real-time network monitoring per process, nethogs is absolutely brilliant:
# Monitor network usage by process
sudo nethogs
# Monitor specific interface
sudo nethogs eth0Disk Usage Analysis with du and Enhanced Tools
Disk space issues can bring servers to their knees faster than almost anything else. The standard du command is essential, but tools like ncdu make disk usage analysis much more intuitive.
Classic du usage patterns:
# Check current directory size
du -sh
# Find largest directories in current location
du -sh * | sort -hr
# Show directory sizes up to 2 levels deep
du -h --max-depth=2 | sort -hr
# Find files larger than 100MB
find /var -size +100M -type f -exec ls -lh {} \;The ncdu tool provides an interactive interface that’s perfect for drilling down into disk usage:
# Interactive disk usage analyzer
ncdu /
# Export results to file for later analysis
ncdu -o /tmp/diskusage.ncdu /
# Later: ncdu -f /tmp/diskusage.ncduReal-World Monitoring Scenarios
Let me share some battle-tested scenarios that you’ll definitely encounter in production environments.
Scenario 1: High Load Average Investigation
Your server’s load average is sitting at 8.0 on a 4-core machine. Here’s your troubleshooting workflow:
# Step 1: Check current system load
uptime
# Output: 14:30:12 up 5 days, 3:15, 2 users, load average: 8.02, 7.85, 6.90
# Step 2: Identify CPU-hungry processes
htop
# Or for scripting:
ps aux --sort=-%cpu | head -10
# Step 3: Check for I/O wait
iostat -x 1 5
# Step 4: Identify processes causing I/O wait
sudo iotop -oCommon findings and solutions:
| Symptom | Likely Cause | Investigation Command | Typical Solution |
|---|---|---|---|
| High CPU usage | Runaway processes | top -c |
Kill/restart problematic processes |
| High I/O wait | Disk bottleneck | iotop -a |
Optimize queries, add SSD storage |
| Many processes in D state | Storage issues | ps aux | grep " D " |
Check filesystem integrity |
Scenario 2: Memory Leak Detection
Applications with memory leaks are sneaky – they gradually consume more memory until your server starts swapping or crashes. Here’s how to catch them:
# Monitor memory usage over time
free -h -s 5
# Identify memory-hungry processes
ps aux --sort=-%mem | head -10
# Check swap usage
swapon --show
cat /proc/swaps
# Monitor memory usage per process over time
while true; do
ps aux --sort=-%mem | head -10 | grep -E "(nginx|mysql|php)"
sleep 30
donePro tip: Create a memory monitoring script that logs suspicious processes:
#!/bin/bash
THRESHOLD=80
MEMORY_USAGE=$(free | grep Mem | awk '{printf("%.0f", $3/$2 * 100.0)}')
if [ $MEMORY_USAGE -gt $THRESHOLD ]; then
echo "$(date): Memory usage is ${MEMORY_USAGE}%" >> /var/log/memory-alert.log
ps aux --sort=-%mem | head -10 >> /var/log/memory-alert.log
echo "---" >> /var/log/memory-alert.log
fiScenario 3: Network Connection Analysis
Suspicious network activity or connection limits being reached require immediate investigation:
# Count connections by state
ss -ant | awk '{print $1}' | sort | uniq -c
# Find which processes have the most connections
ss -tulnp | grep LISTEN | sort
# Check for unusual outbound connections
ss -o state established '( dport :443 or sport :443 )'
# Monitor new connections in real-time
watch -n 1 'ss -ant | wc -l'Here’s a useful script to identify potential DDoS attacks or connection abuse:
#!/bin/bash
echo "Top 10 IP addresses by connection count:"
ss -tn | tail -n +2 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -10
echo -e "\nConnection states summary:"
ss -ant | tail -n +2 | awk '{print $1}' | sort | uniq -cAdvanced Monitoring Techniques and Automation
Once you’ve mastered the basics, you can automate monitoring tasks and create sophisticated alerting systems.
Creating Custom Monitoring Scripts
Here’s a comprehensive system health script that combines multiple monitoring tools:
#!/bin/bash
# comprehensive-monitor.sh
LOG_FILE="/var/log/system-health.log"
DATE=$(date '+%Y-%m-%d %H:%M:%S')
# Function to log with timestamp
log_with_timestamp() {
echo "[$DATE] $1" | tee -a $LOG_FILE
}
# Check system load
LOAD_1MIN=$(uptime | awk -F'load average:' '{print $2}' | awk -F',' '{print $1}' | xargs)
LOAD_THRESHOLD=4.0
if (( $(echo "$LOAD_1MIN > $LOAD_THRESHOLD" | bc -l) )); then
log_with_timestamp "WARNING: High load average: $LOAD_1MIN"
ps aux --sort=-%cpu | head -5 >> $LOG_FILE
fi
# Check memory usage
MEM_USAGE=$(free | grep Mem | awk '{printf("%.1f", $3/$2 * 100.0)}')
if (( $(echo "$MEM_USAGE > 85.0" | bc -l) )); then
log_with_timestamp "WARNING: High memory usage: ${MEM_USAGE}%"
fi
# Check disk usage
df -h | awk '$5 > 85 {print}' | while read output; do
log_with_timestamp "WARNING: High disk usage: $output"
done
# Check for too many connections
CONN_COUNT=$(ss -ant | wc -l)
if [ $CONN_COUNT -gt 1000 ]; then
log_with_timestamp "WARNING: High connection count: $CONN_COUNT"
fiSet this up as a cron job to run every 5 minutes:
# Add to crontab with: crontab -e
*/5 * * * * /usr/local/bin/comprehensive-monitor.shIntegration with System Services
You can create systemd services for continuous monitoring. Here’s an example service file:
# /etc/systemd/system/custom-monitor.service
[Unit]
Description=Custom System Monitor
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/continuous-monitor.sh
Restart=always
RestartSec=30
User=monitor
[Install]
WantedBy=multi-user.targetEnable and start the service:
sudo systemctl enable custom-monitor.service
sudo systemctl start custom-monitor.service
sudo systemctl status custom-monitor.serviceTool Comparison and Performance Impact
Different monitoring tools have varying performance impacts and capabilities. Here’s a breakdown:
| Tool | CPU Impact | Memory Usage | Features | Best Use Case |
|---|---|---|---|---|
| top | Low | ~2MB | Basic, universal | Quick checks, scripting |
| htop | Low-Medium | ~5MB | Enhanced UI, filtering | Interactive monitoring |
| netstat | Medium | ~3MB | Comprehensive networking | Legacy systems |
| ss | Low | ~2MB | Fast, modern networking | Current systems |
| iotop | Medium | ~4MB | I/O monitoring | Disk bottleneck analysis |
| nethogs | Medium-High | ~6MB | Per-process network usage | Network abuse detection |
Interesting Facts and Unconventional Use Cases
Here are some lesser-known but incredibly useful applications of these monitoring tools:
- Gaming server optimization: Use
htopwith custom columns to monitor game server tick rates and player connection handling - Cryptocurrency mining detection: Monitor for processes with suspiciously high CPU usage that don’t correspond to legitimate services
- Container resource limits: Use these tools inside Docker containers to verify that resource limits are being enforced correctly
- Performance regression testing: Script combinations of these tools to automatically detect when deployments cause performance degradation
One particularly clever use I’ve seen is using ss to monitor database connection pools in real-time during load testing, helping identify optimal connection pool sizes.
Integration with Modern DevOps Workflows
These traditional tools integrate beautifully with modern monitoring solutions:
# Export metrics for Prometheus
#!/bin/bash
# prometheus-node-exporter-custom.sh
echo "# HELP custom_load_average Current load average"
echo "# TYPE custom_load_average gauge"
echo "custom_load_average $(uptime | awk -F'load average:' '{print $2}' | awk -F',' '{print $1}' | xargs)"
echo "# HELP custom_memory_usage_percent Memory usage percentage"
echo "# TYPE custom_memory_usage_percent gauge"
echo "custom_memory_usage_percent $(free | grep Mem | awk '{printf("%.2f", $3/$2 * 100.0)}')"You can also pipe tool output to logging systems like ELK stack or Splunk for historical analysis and alerting:
# Send monitoring data to syslog for centralized logging
logger -t "system-monitor" "Load: $(uptime | awk -F'load average:' '{print $2}')"When to Scale Up Your Infrastructure
These monitoring tools will help you identify when it’s time to upgrade your infrastructure. Key indicators include:
- Consistent load averages above CPU core count
- Memory usage consistently above 80%
- Disk I/O wait times regularly exceeding 20%
- Network connection limits being reached regularly
For growing applications, consider upgrading to a more powerful VPS solution or moving to a dedicated server when your current infrastructure consistently shows resource constraints.
Related Tools and Extended Ecosystem
These core tools are part of a larger ecosystem of monitoring utilities:
- vmstat – Virtual memory statistics and system performance
- iostat – I/O statistics for devices and partitions
- sar – System activity reporter (part of sysstat package)
- lsof – List open files and network connections
- tcpdump/wireshark – Network packet analysis
- strace – System call tracing for debugging
For more advanced monitoring, consider integrating with:
- Prometheus for metrics collection
- Grafana for visualization
- Elastic Beats for log shipping
- Nagios or Icinga for alerting
Conclusion and Best Practices
Mastering these fundamental monitoring tools is essential for anyone serious about server administration. The combination of top/htop for process monitoring, netstat/ss for network analysis, and du/ncdu for disk usage provides a comprehensive foundation for understanding your server’s behavior.
Key recommendations for effective monitoring:
- Automate routine checks – Create scripts that run regular health checks and alert you to issues
- Establish baselines – Know what “normal” looks like for your specific applications and workloads
- Monitor trends, not just snapshots – Use tools like
sarto track performance over time - Combine tools for complete pictures – High load could be CPU, I/O, or network related – use multiple tools to diagnose
- Document your findings – Keep notes about what specific patterns mean for your infrastructure
Remember that monitoring is not just about fixing problems after they occur – it’s about understanding your systems well enough to prevent issues and plan for growth. These tools will serve you well whether you’re managing a single application server or a complex multi-tier architecture.
Start with the basics, build up your monitoring scripts gradually, and don’t be afraid to dig deep when something doesn’t look right. Your future self (and your users) will thank you for the proactive approach to system health monitoring.
This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.
This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.
More stories
