ARTICLE

Using Top More Efficiently
Contributed by Mulyadi Santosa in Misc on 2006-03-28 04:05:13
Page 3 of 5

D. Fields that we need

By default, top starts by showing the following task's property:

FieldDescription
PID : Process ID
USER :Effective User ID
PR : Dynamic priority
NI :Nice value, also known as base priority
VIRT : Virtual Size of the task. This includes the size of process's executable binary, the data area and all the loaded shared libraries.
RES : The size of RAM currently consumed by the task. Swapped out portion of the task is not included.
SHR : Some memory areas could be shared between two or more task, this field reflects that shared areas. The example of shared area are shared library and SysV shared memory.
S : Task status
%CPU : The percentage of CPU time dedicated to run the task since the last top's screen update.
%MEM : The percentage of RAM currently consumed by the task.
TIME+ : The total CPU time the task has been used since it started. "+" sign means it is displayed with hundreth of a second granularity. By default, TIME/TIME+ doesn't account the CPU time used by the task's dead children.
COMMAND : Showing program names.

But, there are more. Here, I will just explain fields that might interest you:

FieldDescription
nFLT (key 'u')

Number of major page fault since the process is started. Technically, page fault happens when the task access a non existant page in its address space. A page fault is said as "major" if kernel needs to access the disk to make the page available. On the contrary, soft minor page fault means the kernel only need to allocate pages in RAM without reading anything from disk.

For illustration, consider the size of program ABC is 8 kB and assume the page size is 4 kB. When the program is fully loaded to RAM, there will be 2 times major page fault (2 * 4 kB). The program itself allocates another 8 kB for temporary data storage in RAM. Thus, there will be 2 minor page fault.

A high number of nFLT could mean:

  1. The task is aggressively load some portions of its executable or library from the disk.
  2. The task is accessing a page that is swapped ou

It is normal if you see a high number of major page fault when a program is run for first time. On the next invocations, buffer is utilized so likely you will see "0" or low number of nFLT. But, if a program is continously triggerring major page fault, big chance your program needs larger RAM size than currently installed.
nDRT (key 'v')

The number of dirty pages since they are written back to the disk.

Maybe you wonder, what is dirty page? First, a little bac ground. As you know, Linux employ caching mechanism, so everything that is read from disk is also cached in RAM. The advantage of this action is, subsequent read to the same disk block can be served from RAM thus reading completes faster.

But it also costs something. If the buffer's content is modified, it needs to be synchronized. Thus, sooner or la this modified buffer (dirty page) must be written back. The failure on the synchronization might cause data inconsistency on related disk.

On mostly idle to fairly loaded system, nDRT is usually below 10 (this is just a raw prediction)or mostly zero. If it is constantly bigger than that:

  1. The task is aggresively write something to file(s). It is so often that disk I/O can't keep up with it
  2. The disk suffers I/O congestion, thus even the task only modifies small portion of file(s), it must wait a bit longer to be synchronized. Congestion happens when many processes access the disk at a time but cache hit is low.

These days, (1) unlikely happens because I/O speed is getting faster and less CPU demanding (thanks to DMA). So (2) has bigger probability.

Note: On 2.6.x, this field is always zero without unknown reason.
P (key 'j')

Last used CPU. This field only has meaning in SMP environment. SMP here refers to Hyperthread, multi core or true multi processor. If you just have one processor (non multi core, not HT), this field will always show '0'.

In SMP system, don't be surprised if this field change sometimes. That means, the Linux kernel tries to move your task to the other CPU which is considered less loaded.
CODE (key 'r') and DATA (key 's')

CODE simply reflects the size of your application code, while DATA reflects the size of data segment (stack, heap, variables but not shared libraries). Both are measured in kilobyte.

DATA is useful to show how much your application allocates memory. Sometimes, it can also reveal memory leaks. Of course, you need better tool such as valgrind to differentiate between repetitive memory allocation or growing memory leaks if DATA continously climbs up.

Note: DATA, CODE, SHR, SWAP, VIRT, RES are all measured in page size (4KB in Intel architecture). Read only data section is also calculated as CODE size, thus sometimes it is larger than the actual text (executable) segment.
SWAP (key 'p')

The size of swapped out portion of a task's virtual memory image. This field is sometimes confusing, here is why:

Logically, you would expect this field really shows whether your program is partially swapped out and how much. But the reality shows otherwise. Even the "Swap used" field shows 0, you will be surprised that SWAP field of each tasks show greater than zero number. So, what's wrong?

This comes from the fact that top use this formula:


                VIRT = SWAP + RES or equal
                SWAP = VIRT - RES

As explained previously, VIRT includes anything inside task's address space, no matter it is in RAM, swapped out or still not loaded from disk. While RES represents total RAM consumed by this task. So, SWAP here means it represents the total amount of data being swapped out OR still not loaded from disk. Don't be fooled by the name, it doesn't just represent the swapped out data.

To display the above fields, press 'f' inside the interactive mode. Then press the related key (mentioned above inside the parentheses). Those keys toggle the related fields, so press once to show it, press again to hide it. To find out whether the fields are displayed or not, simply watch the series of letters on the first line (at the right of "Current Fields"). Uppercase means the fields is shown, lower case means the opposite. Press Enter after you are satisfied with the selection.

Sorting use similar way. Press 'O' (upper case) followed by a key representing the field. Don't worry if you don't remember the key map, top will show it. The new sort key will be marked with asterisk and the letter will change to upper case, so you can notice it easily. Press Enter after you are finished



Article Index
Using Top More Efficiently
Fast or slow update?
Fields we need
Multi view are better than one?
Conclusion
 
Discussion(s)
Network engineer
Written by kourosh on 2008-01-28 13:32:24
Hope you don't mind but not enough examples given
Discuss! Reply!

Network Engineer
Written by Mark on 2008-02-07 10:43:18
Quote:
Hope you don't mind but not enough examples given




Congratulations on the most polite criticism ever delivered on the web. Well, at least in my travels, I've never seen a critique of an article so gently worded. Anyway, Kudos to you for your politeness.

As it turns out, I beg to differ with your critique. IMHO, the article had sufficient examples: Just enough to whet your appetite and get you reading the man page for more.
Discuss! Reply!

RE:
Written by Ritwik Malvi on 2008-02-11 17:14:16
Quote:
Quote:
Hope you don't mind but not enough examples given




Congratulations on the most polite criticism ever delivered on the web. Well, at least in my travels, I've never seen a critique of an article so gently worded. Anyway, Kudos to you for your politeness.

As it turns out, I beg to differ with your critique. IMHO, the article had sufficient examples: Just enough to whet your appetite and get you reading the man page for more.




Is there any way to monitor just the top 10 processes in Linux(like using the -n switch in Unixware)?
Discuss! Reply!

RE:
Written by Ritwik Malvi on 2008-02-11 17:15:41
Quote:
Quote:
Quote:
Hope you don't mind but not enough examples given




Congratulations on the most polite criticism ever delivered on the web. Well, at least in my travels, I've never seen a critique of an article so gently worded. Anyway, Kudos to you for your politeness.

As it turns out, I beg to differ with your critique. IMHO, the article had sufficient examples: Just enough to whet your appetite and get you reading the man page for more.




Is there any way to monitor just the top 10 processes in Linux(like using the -n switch in Unixware)?




I meant the top 10 processes consuming CPU (the top 10 processes from the top -S command)
Discuss! Reply!

Thanks!
Written by Anonymous bin Ich on 2008-04-04 03:17:25
Good article.

It would be nice if you added once sentence descriptions to all the Fields of top.

(Ok, I know that higher NICE value means lower priority, but what about higher PR value?)
Discuss! Reply!

Stop the loop?
Written by Sonya* on 2008-04-21 05:12:51
I typed top -b and it was indefintely loop as you said, but how can I stop this loop? I had to kill the putty session to quit it. Thank you.
Discuss! Reply!

Processes and Loop
Written by Jorge Chollet on 2008-04-22 18:53:02
Quote:
I typed top -b and it was indefintely loop as you said, but how can I stop this loop? I had to kill the putty session to quit it. Thank you.




@Ritwik Malvi: You can enter top in interactive mode (just type 'top' without parameters) and type 'n', then enter the number of processes you want to see.

@Sonya: Just press Ctrl+C. I use Putty myself at work.
Discuss! Reply!

a
Written by mark on 2008-05-06 19:24:16
Quote:
I typed top -b and it was indefintely loop as you said, but how can I stop this loop? I had to kill the putty session to quit it. Thank you.





I have the same problem. How do you stop top??
Discuss! Reply!

a
Written by Mark on 2008-05-06 19:26:17

I just found your reply to use control c to stop top.

That works great! Thanks!!
Discuss! Reply!

top process states
Written by pavan on 2008-05-15 09:05:04
can anybody tell what is "SWN" state of a process
Discuss! Reply!

Monitor process via command name?
Written by viettrung on 2008-07-04 10:21:40
Hi,

Thank you for a useful article.

I just want to know whether it is possible to monitor a process via its (command) name rather than its process identifier? If so, how?

Regards,

.viettrung.
Discuss! Reply!