Viewing files and processes as trees on Linux

A look at three Linux commands - ps, pstree and tree - for viewing files and processes in a tree-like format.

wood thrush bird in tree hidden camouflage by melissa mcmasters via flickr
Melissa McMasters (CC BY 2.0)

Linux provides several handy commands for viewing both files and processes in a branching, tree-like format that makes it easy to view how they are related. In this post, we'll look at the ps, pstree and tree commands along with some options they provide to help focus your view on what you want to see.

ps

The ps command that we all use to list processes has some interesting options that many of us never take advantage of. While the commonly used ps -ef provides a complete listing of running processes, the ps -ejH command adds a nice effect. It indents related processes to make the relationship between these processes visually more clear  – as in this excerpt:

$ ps -ejH
  PID  PGID   SID TTY          TIME CMD
...
 1396  1396  1396 ?        00:00:00   sshd
28281 28281 28281 ?        00:00:00     sshd
28409 28281 28281 ?        00:00:00       sshd
28410 28410 28410 pts/0    00:00:00         bash
30968 30968 28410 pts/0    00:00:00           ps

As you can see, the ps process is being run is run within bash and bash within an ssh session.

The -exjf option string provides a similar view, but with some additional details and symbols to highlight the hierarchical nature of the processes:

$ ps -exjf
PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
...
    1  1396  1396  1396 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
 1396 28281 28281 28281 ?           -1 Ss       0   0:00  \_ sshd: shs [priv]
28281 28409 28281 28281 ?           -1 S     1000   0:00      \_ sshd: shs@pts/0
28409 28410 28410 28410 pts/0    31028 Ss    1000   0:00          \_ -bash
28410 31028 31028 28410 pts/0    31028 R+    1000   0:00              \_ ps axjf

The options used in these commands represent:

-e  select all processes
-j  use the jobs format
-f  provide a full format listing
-H  show the process hierarchy (i.e., the "forest format")
-x  lift the "must be associated with a tty" restriction

There's also a --forest option that provides a similar view.

$ ps -ef --forest
UID        PID  PPID  C STIME TTY          TIME CMD
...
root      1396     1  0 Oct08 ?        00:00:00 /usr/sbin/sshd -D
root     28281  1396  0 12:55 ?        00:00:00  \_ sshd: shs [priv]
shs      28409 28281  0 12:56 ?        00:00:00      \_ sshd: shs@pts/0
shs      28410 28409  0 12:56 pts/0    00:00:00          \_ -bash
shs      32351 28410  0 14:39 pts/0    00:00:00              \_ ps -ef --forest

Note that these examples are only a sampling of how these commands can be used. You can select whichever options that give you the view of processes that works best for you.

pstree

A similar view of processes is available using the pstree command. While even pstree offers many options, the command provides a very useful display on its own. Notice that many parent-child process relationships are displayed on single lines rather than subsequent lines.

$ pstree
...
        ├─sshd───sshd───sshd───bash───pstree
        ├─systemd─┬─(sd-pam)
        │         ├─at-spi-bus-laun─┬─dbus-daemon
        │         │                 └─3*[{at-spi-bus-laun}]
        │         ├─at-spi2-registr───2*[{at-spi2-registr}]
        │         ├─dbus-daemon
        │         ├─ibus-portal───2*[{ibus-portal}]
        │         ├─pulseaudio───2*[{pulseaudio}]
        │         └─xdg-permission-───2*[{xdg-permission-}]

With the -n option, pstree displays the process in numerical (by process ID) order:

$ pstree -n
systemd─┬─systemd-journal
        ├─systemd-udevd
        ├─systemd-timesyn───{systemd-timesyn}
        ├─systemd-resolve
        ├─systemd-logind
        ├─dbus-daemon
        ├─atopacctd
        ├─irqbalance───{irqbalance}
        ├─accounts-daemon───2*[{accounts-daemon}]
        ├─acpid
        ├─rsyslogd───3*[{rsyslogd}]
        ├─freshclam
        ├─udisksd───4*[{udisksd}]
        ├─networkd-dispat
        ├─ModemManager───2*[{ModemManager}]
        ├─snapd───10*[{snapd}]
        ├─avahi-daemon───avahi-daemon
        ├─NetworkManager───2*[{NetworkManager}]
        ├─wpa_supplicant
        ├─cron
        ├─atd
        ├─polkitd───2*[{polkitd}]
        ├─colord───2*[{colord}]
        ├─unattended-upgr───{unattended-upgr}
        ├─sshd───sshd───sshd───bash───pstree

Some options to consider when using pstree include -a (include command line arguments) and -g (include process groups).

Here are some quick (truncated) examples.

Output from pstree -a

      └─wpa_supplicant -u -s -O /run/wpa_supplicant

Output from pstree -g:

      ├─sshd(1396)───sshd(28281)───sshd(28281)───bash(28410)───pstree(1115)

tree

While the tree command sounds like it would be very similar to pstree, it's a command for looking at files rather than processes. It provides a nice tree-like view of directories and files.

If you use the tree command to look at /proc, your display would begin similar to this one:

$ tree /proc
/proc
├── 1
│   ├── attr
│   │   ├── apparmor
│   │   │   ├── current
│   │   │   ├── exec
│   │   │   └── prev
│   │   ├── current
│   │   ├── display
│   │   ├── exec
│   │   ├── fscreate
│   │   ├── keycreate
│   │   ├── prev
│   │   ├── smack
│   │   │   └── current
│   │   └── sockcreate
│   ├── autogroup
│   ├── auxv
│   ├── cgroup
│   ├── clear_refs
│   ├── cmdline
...

You will see a lot more detail if you run a command like this as root (sudo tree /proc) since much of the contents of /proc is inaccessible to regular users.

The tree -d command will limit your display to directories.

$ tree -d /proc
/proc
├── 1
│   ├── attr
│   │   ├── apparmor
│   │   └── smack
│   ├── fd [error opening dir]
│   ├── fdinfo [error opening dir]
│   ├── map_files [error opening dir]
│   ├── net
│   │   ├── dev_snmp6
│   │   ├── netfilter
│   │   └── stat
│   ├── ns [error opening dir]
│   └── task
│       └── 1
│           ├── attr
│           │   ├── apparmor
│           │   └── smack
...

With the -f option, tree will show full pathnames.

$ tree -f /proc
/proc
├── /proc/1
│   ├── /proc/1/attr
│   │   ├── /proc/1/attr/apparmor
│   │   │   ├── /proc/1/attr/apparmor/current
│   │   │   ├── /proc/1/attr/apparmor/exec
│   │   │   └── /proc/1/attr/apparmor/prev
│   │   ├── /proc/1/attr/current
│   │   ├── /proc/1/attr/display
│   │   ├── /proc/1/attr/exec
│   │   ├── /proc/1/attr/fscreate
│   │   ├── /proc/1/attr/keycreate
│   │   ├── /proc/1/attr/prev
│   │   ├── /proc/1/attr/smack
│   │   │   └── /proc/1/attr/smack/current
│   │   └── /proc/1/attr/sockcreate
...

Hierarchical displays can often make the relationship between processes and files easier to understand. While the number of options available is rather broad, you'll probably find some views that help you see just what you're looking for.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.