Commands by d34dh0r53 (5)

  • Prints the top 10 memory consuming processes (with children and instances aggregated) sorted by total RSS and calculates the percentage of total RAM each uses. Please note that since RSS can include shared libraries it is possible for the percentages to add up to more that the total amount of RAM, but this still gives you a pretty good idea. Also note that this does not work with the mawk version of awk, but it works fine with GNU Awk which is on most Linux systems. It also does not work on OS X. Show Sample Output

    TR=`free|grep Mem:|awk '{print $2}'`;ps axo rss,comm,pid|awk -v tr=$TR '{proc_list[$2]+=$1;} END {for (proc in proc_list) {proc_pct=(proc_list[proc]/tr)*100; printf("%d\t%-16s\t%0.2f%\n",proc_list[proc],proc,proc_pct);}}'|sort -n |tail -n 10
    d34dh0r53 · 2010-03-27 01:34:50 4
  • This command loops over all of the processes in a system and creates an associative array in awk with the process name as the key and the sum of the RSS as the value. The associative array has the effect of summing a parent process and all of it's children. It then prints the top ten processes sorted by size. Show Sample Output

    ps axo rss,comm,pid | awk '{ proc_list[$2]++; proc_list[$2 "," 1] += $1; } END { for (proc in proc_list) { printf("%d\t%s\n", proc_list[proc "," 1],proc); }}' | sort -n | tail -n 10
    d34dh0r53 · 2010-03-03 16:41:05 2
  • I prefer the ip command to ifconfig as ifconfig is supposedly going to be deprecated. Certain IP address aliases can only be seen with the ip command (such as the ones applied by RHCS).

    ip link show
    d34dh0r53 · 2010-03-01 20:10:27 0
  • Change the name of the process and what is echoed to suit your needs. The brackets around the h in the grep statement cause grep to skip over "grep httpd", it is the equivalent of grep -v grep although more elegant. Show Sample Output

    TOTAL_RAM=`free | head -n 2 | tail -n 1 | awk '{ print $2 }'`; PROC_RSS=`ps axo rss,comm | grep [h]ttpd | awk '{ TOTAL += $1 } END { print TOTAL }'`; PROC_PCT=`echo "scale=4; ( $PROC_RSS/$TOTAL_RAM ) * 100" | bc`; echo "RAM Used by HTTP: $PROC_PCT%"
    d34dh0r53 · 2010-02-26 20:29:45 3
  • Provides numerically sorted human readable du output. I so wish there was just a du flag for this. Show Sample Output

    du -x --max-depth=1 | sort -n | awk '{ print $2 }' | xargs du -hx --max-depth=0
    d34dh0r53 · 2010-02-18 19:46:47 2

What's this? is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Check These Out

Debug a remote php application (behind firewall) using ssh tunnel for XDEBUG port 9000
If you need to xdebug a remote php application, which is behind a firewall, and you have an ssh daemon running on that machine. you can redirect port 9000 on that machine over to your local machine from which you run your xdebug client (I am using phpStorm) So, run this command on your local machine and start your local xdebug client, to start debugging. more info:

Nicely display permissions in octal format with filename
Since the original command (#1873) didn't work on FreeBSD whose stat lacks the "-c" switch, I wrote an alternative that does. This command shows also the fourth digit of octal format permissions which yields the sticky bit information.

Get IPv4 of eth0 for use with scripts
I've been using it in a script to build from scratch proxy servers.

Summarize Apache Extended server-status to show longest running requests
Ever need to know why Apache is bogging down *right now*? Hate scanning Apache's Extended server-status for the longest running requests? Me, too. That's why I use this one liner to quickly find suspect web scripts that might need review. Assuming the Extended server-status is reachable at the target URL desired, this one-liner parses the output through elinks (rendering the HTML) and shows a list of active requests sorted by longest running request at the bottom of the list. I include the following fields (as noted in the header line): Seconds: How long the request is alive PID: Process ID of the request handler State: State of the request, limited to what I think are the relevant ones (GCRK_.) IP: Remote Host IP making the request Domain: Virtual Host target (HTTP/1.1 Host: header). Important for Virtual Hosting servers TYPE: HTTP verb URL: requested URL being served. Putting this in a script that runs when triggered by high load average can be quite revealing. Can also capture "forgotten" scripts being exploited such as "", etc.

Do some learning...

creeate file named after actual date
Create a file with actual date as filename

coloured shell prompt
This coloured prompt will show: username in green, grey "@" sign, hostname in red, current directory in yellow, typed commands in green.

get diskusage of files modified during the last n days
get diskusage of files (in this case logfiles in /var/log) modified during the last n days: $ sudo find /var/log/ -mtime -n -type f | xargs du -ch n -> last modified n*24 hours ago Numeric arguments can be specified as +n for greater than n, -n for less than n, n for exactly n. => so 7*24 hours (about 7 days) is -7 $ sudo find /var/log/ -mtime -7 -type f | xargs du -ch | tail -n1

Clone starred github repos in parallel with unlimited speed, this example will clone 25 repositories in parallel at same time.

Get AWS temporary credentials ready to export based on a MFA virtual appliance
You might want to secure your AWS operations requiring to use a MFA token. But then to use API or tools, you need to pass credentials generated with a MFA token. This commands asks you for the MFA code and retrieves these credentials using AWS Cli. To print the exports, you can use: `awk '{ print "export AWS_ACCESS_KEY_ID=\"" $1 "\"\n" "export AWS_SECRET_ACCESS_KEY=\"" $2 "\"\n" "export AWS_SESSION_TOKEN=\"" $3 "\"" }'` You must adapt the command line to include: * $MFA_IDis ARN of the virtual MFA or serial number of the physical one * TTL for the credentials

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.


Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: