Drill: Trace Process Relationships

Goal

Use pstree and ps to visualize parent-child process relationships and understand process hierarchies.

Setup

• Linux system with procps and pstree installed
• pstree is typically in the psmisc package

Commands

Show the full process tree:

pstree -p

Show the tree for a specific PID with thread info:

pstree -p -t <PID>

Show the tree for a specific user:

pstree -u www-data

Use ps in forest mode to see hierarchy with resource info:

ps auxf

Show a specific process and its children:

ps -ef --forest | grep -A 5 nginx

Find the parent PID of a process:

ps -o pid,ppid,cmd -p <PID>

Trace ancestry from a process back to PID 1:

pstree -s -p <PID>

What to Look For

• Services spawned by systemd appear as direct children of PID 1
• Orphaned processes get re-parented to PID 1 or a subreaper
• Worker process models (nginx, apache) show master-worker relationships
• Zombie processes appear with [defunct] and have exited but not been waited on

Common Mistakes

• Confusing threads with child processes in pstree output (use -t to show threads)
• Not using -p flag and missing which PIDs map to which branches
• Forgetting that ps aux does not show hierarchy -- use ps auxf for forest mode
• Misreading grep results that include the grep process itself

Cleanup

No cleanup needed. These are read-only inspection commands.