Home
Pr1malbyt3s

© Aaron Williams 2020 | All Rights Reserved.

Search

Memory

In the context of computers, memory contains the current running state of a system. A memory’s current state is only retained given a power supply and is constantly changing. We care about memory content because it provides the closest possible snapshot of a systems state at a past moment in time. Should an incident occur, the memory contents at that instantaneous point of occurence serve as the most reputable source of evidence. Unfortunately, there is no longer a clean, safe way to capture a memory dump on Linux without the use of external utilities (prior to kernel version 2.6 series, all ranges of memory could be read directly from the /dev/mem device file). Given this restriction, we concern ourselves with memory usage statistics. Although we can’t access the memory contents, the memory usage statistics provide a quantitative measurable of what may be happening on a system.

Overall Memory Usage:

free -h
# Free displays the total amount of free and used system memory. 
# The -h option displays usage in gigabytes.

cat /proc/meminfo
# The cat utility is used to concatenante files and print on the standard output.
# The /proc/ directory is a pseudo filesystem, non-file object representation, for system information.
# The meminfo file reports information about the system's current memory usage.

Memory Usage Timeline:

sar -r 1 10
# The sar utility is used to report system activity information.
# The -r option is used to report memory utilizations statistics.
# The 1 and 10 are used to print information every second, ten times.
# kbmemfree = amount of free memory available in KB.
# kbmemused = amount ot used memory in KB.
# %memused = percentage of used memory.
# kbbuffers = amount of memory used as buffers by the kernel in KB.
# kbcached = amount of memory used to cache data by the kernel in KB.
# kbcommit = amount of memory in KB needed for current workload.
# %commit = percentage of memory needed for current workload in relation to total amount of memory.
# kbactive = amount of active memory in KB.
# kbinact = amount of inactive memory in KB.
# kbdirty = amount of memory in KB waiting to get written back to disk.

Memory Usage Per Process:

top
# Top allows real time process monitoring for system resource usage. Most of the fields are self explanatory, but some aren't:
# M or Shift+m sorts by memory usage
# PR = scheduling priority 
# NI = "nice" value
# VIRT = total memory consumed by a process (including data)
# RES = memory consumed by the process in RAM
# %MEM = RES value expressed as percent of total RAM
# SHR = amount of shared memory with other processes
# S = process state
# Reference: https://www.booleanworld.com/guide-linux-top-command/

Demonstration:

We’ll use a small C program to take a look at what happens in memory using the above methods. The program:

/* Program that allocates 100MB of memory every five seconds. */
#include <stdlib.h>
#include <memory.h>
/* Make variable to represent a MB size of data */
#define MB 1024 * 1024

int main() {
        while(1) {
                /* Use malloc to allocate 100MB memory space to pointer p */
                void *p = malloc(100*MB);
                /* Use memset to fill allocated memory space with 0s */
                memset(p, 0, 100*MB);
                /* Sleep for 5 seconds */
                sleep(5);
        }
}

You can save the program as memtest.c and compile it using the command:

gcc memdemo.c -o memdemo

Then run it using the command:

./memdemo

You can bounce back and forth between the different programs to get a feel for observing noticable changes in memory usage. Be sure to kill the process before it eats up all your memory.