How to analyze a Linux process' memory map with pmap

Tools like ps and pgrep can help you learn about the processes running on your system. Sometimes, the next step in getting a report on processes is exploring a single process' memory map. You can use the pmap command for that.

[Cheat sheet: Old Linux commands and their modern replacements ]

Check a process

Suppose you need to know how the sshd process is mapped in memory. First, find the process ID (PID) of the process:

$ ps aux | grep sshd
root   5484  [...] sshd: /usr/sbin/sshd -D [listener]
0 of 10-100 startups

Use the PID 5484 to explore the process:

$ sudo pmap 5484 | more
5484:   sshd: /usr/sbin/sshd -D [listener]
0000560d6317f000     48K r---- sshd
0000560d6318b000    564K r-x-- sshd
0000560d63218000    296K r---- sshd
0000560d63262000     16K r---- sshd
0000560d63266000      4K rw--- sshd
0000560d63267000     16K rw---   [ anon ]
0000560d6502c000    504K rw---   [ anon ]
00007f929fcc8000     12K rw---   [ anon ]
00007f929fccb000     16K r---- libgpg-error.so
00007f929fccf000     88K r-x-- libgpg-error.so
00007f929fce5000     40K r---- libgpg-error.so
00007f929fcef000      4K r---- libgpg-error.so
00007f929fcf0000      4K rw--- libgpg-error.so
[...]
00007ffd61ce8000    132K rw---   [ stack ]
00007ffd61d92000     16K r----   [ anon ]
00007ffd61d96000      8K r-x--   [ anon ]
ffffffffff600000      4K --x--   [ anon ]
total: 15612K

The pmap output reports the process' memory usage, including all the components it uses, such as libraries and binary files. The columns include the memory address, offset, permission, and name.

[ No-cost online course: Red Hat Enterprise Linux technical overview. ]

You can run the same command with the -x flag to get even more detailed output:

Address           Kbytes     RSS   Dirty Mode  Mapping
0000560d6317f000      48      48       0 r---- sshd
0000560d6318b000     564     500       0 r-x-- sshd
0000560d63218000     296     160       0 r---- sshd
0000560d63262000      16      16      16 r---- sshd
0000560d63266000       4       4       4 rw--- sshd
0000560d63267000      16      16      16 rw---   [ anon ]

Here's what that information means:

• Address: The beginning memory address allocation
• Kbytes: Memory allocation in kilobytes
• RSS: Resident set size of the process in memory
• Dirty: The status of the memory pages
• Mode: Access mode and privileges
• Mapping: The user-facing name of the application or library

[ Find out what sysadmins need to know about Linux permissions ]

In this case, the binary sshd is allocated 48 kilobytes from the memory address 0000560d6317f000 to the address 0000560d6317f000. You can test whether this is true using a Python shell. First, subtract the memory address to get the offset. The result is returned in hex:

$ python
Python 3.10.7
>>> hex ( 0x0000560d6318b000 -0x0000560d6317f000 );
'0xc000'

Convert the hex value:

>>> int (hex ( 0x0000560d6318b000 -0x0000560d6317f000 ),16);
49152

Finally, divide this result by 1024:

>>> 49152/1024
48

The result is 48 kilobytes.

Mapping with pmap

The pmap utility gathers most of its information from the /proc/PID/smaps file and makes it friendly to humans. The [ anon ] value is anonymous memory mapping, which is part of the memory populated with data not taken from the filesystem but allocated when needed.

You can use pmap to monitor the movement of memory across a particular time range. You can also use it to analyze a memory value that always increases and never decreases or to locate the culprit of a memory leak.

This example is a brief overview of what's possible to learn about a single process. Use it well.

[ For more tips on Linux administration, read How to use the lsof command to troubleshoot Linux. ]