User manuals
GNU CoreutilsGNU Binutils
GNU Findutils (find, xargs, and locate)
GNU Diffutils (diff, cmp, sdiff, and patch)
Comparing and Merging Files with GNU diff and patch
Grep
bc
Bash
Listing files with ls
| Sort by the modification time ("mtime" in inode) | -t |
| Sort by the status change time ("ctime" in inode) | -c |
| Sort by the last access time ("atime" in inode) | -u |
| Sort by file size in descending order | -S |
| Sort by file extension | -X |
| Reverse sort | -r |
| Display only directories | -d |
| Display every file, including those starting with "." | -a |
| Display in long/verbose format. For the permission character,
|
-l |
Decorate the file type with special characters:
| -F |
Finding files
The venerable but slower find utility:| Files matching pattern -iname is for case-insensitive |
-name pattern -iname pattern |
| Full path files matching pattern -ipath is for case-insensitive |
-path pattern -ipath pattern |
| Full path files matching regex -iregex is for case-insensitive |
-regex regex -iregex regex |
| Modified/accessed within last n days | -mtime -n -atime -n |
| Modified from n to m days ago (n < m) |
-mtime +n -mtime -m |
| Modified/accessed within last n minutes | -mmin -n -amin -n |
| Newer than file | -newer file |
| Only match files/directories | -type f -type d |
| Files with size between n and m KB | -size +nk -size -mk |
| Files which are executable by me (this would include directories as well) | -perm +100 |
| Empty files/directories | -empty |
| Only search current directory; no recursive descending | -noleaf |
| Limit the recursive descending search to n level depth | -maxdepth n |
| Display full info of the found files | -ls |
| Delete the found files | -delete |
| Display found file/directory info using the specified format | -printf format |
| Run command cmd on found files | -exec cmd {} \; |
The super-fast locate utility. (Its internal database is created by updatedb)
| Just match the file name but not full path | -b |
| Use regular expression | -r |
| Case insensitive | -i |
| Display only first n results | -l n |
| Display locate internal database info | -S |
Searching files for patterns with grep
There are three variants of grep, and they are all invoked bygrep options pattern files_to_searchegrep accepts extended regular expressions, i.e., it is equivalent to grep -E fgrep is the fast version of grep since the pattern is not a regular expression but is treated as a fixed string, i.e., it is equivalent to grep -F
rgrep (recursive grep) is equivalent to grep -r
| Search by regular expression regex. (There can be multiple "-e" options when invoking grep) |
-e regex |
| Recursive descending | -r |
| Only display names of files which match the pattern. | -l |
| Case insensitive | -i |
| Display NON-matching lines | -v |
| Only display names of files which do NOT match the pattern. | -L |
| Search words only | -w |
| Search by regular expressions in file | -f file |
| Display the matched part only (useful for regular expression matching) | -o |
| Display line numbers | -n |
| Display the next num lines immediately after the matching line | -A num |
| Display the prior num lines immediately before the matching line | -B num |
Sorting with sort
| Sort using the n-th word of each line | -k n |
| Sort using the words from n-th word to m-th word of each line | -k n,m |
| Use the character delim in tokenizing a line | -t delim |
| Case insensitive | -f |
| Reverse, i.e. sort in descending order | -r |
| Numerical sort | -n |
| Dictionary sort, i.e. ignore all characters except letter, digits, and spaces | -d |
| Numerical sort, but will also take care of suffixes like KB, MB, GB, etc | -h |
Getting unique lines with uniq
| Ignore first n words of each line | -f n |
| Ignore first n characters of each line | -s n |
| Only use the first n characters of lines | -w n |
| Count occurrences of each line | -c |
| Case insensitive | -i |
| Only display repeated lines | -d |
Comparing files
Compare two text files with diff or three files with diff3:| Case insensitive | -i |
| Ignore spaces | -b |
| Ignore blank lines | -B |
| Display result side by side and show only the left column (can also use sdiff instead) |
-y --left-column |
| Recursive descending | -r |
Compare two binary files with cmp:
| Skip first n bytes | -i n |
| Compare only first n bytes | -n n |
Display common and different lines of two sorted files with comm:
| Only display common lines | -1 -2 |
| Display lines in the first file but not the second file | -2 -3 |
Displaying file content
Display files with cat:| Show control characters | -A |
| Add line number | -n |
| Suppress adjacent empty lines | -s |
Browse files interactively with less. Here are commands one can use while in less:
| Toggle case-sensitive/insensitive search | Type -I |
| Search forward | Type / followed by the search pattern |
| Search forward for non-matching lines | Type /! followed by the search pattern |
| Search backward | Type ? followed by the search pattern |
| Repeat previous search (forward) | Type n |
| Repeat previous search (backward) | Type N |
| Display only matching lines | Type & followed by the search pattern |
| Display the on-line help | Type h |
| Search in the current screen only and highlight the matches | Type /, press Ctrl-K, then enter the search pattern |
| Go to the first line | Type g |
| Go to the last line | Type G |
| Go to the N-th line | Type the number followed by g |
| Mark current position | Type m followed by a single letter |
| Go to a marked position | Type ' followed by a single letter |
| Display the next file (from the command line) | Type :n |
| Display the previous file (from the command line) | Type :p |
| Display the first file (from the command line) | Type :x |
| Edit currently displayed file | Type v |
| Toggle line number on/off | Type -n |
| Toggle long-line-chopping on/off | Type -S |
| Display where we are now in the viewed file | Type :f |
| Following mode (like tail -f) | Type F |
Display files in reverse order with tac:
| Use the character delim instead of newline in tokenizing the file | -s delim |
Add line numbers with nl:
| The line number is left justified | -n ln |
| The line number is right justified with padding 0's | -n rz |
| Set width of the line number to be n digits | -w n |
Display files in hexadecimal (or other formats) with od:
| 4 hexadecimal as a unit | -t x4 |
| Single precision floating-point numbers | -f |
| Double precision floating-point numbers | -t fD |
| Signed integer | -t dI |
| Unsigned integer | -t uI |
| Only display the first n bytes | -N n |
| Do not display the first n bytes | -j n |
| Only display printable strings of at least n bytes long (simliar to strings utility) |
-S n |
Display files in hexadecimal with xxd (source code here):
| Group every n bytes | -g n |
| n bytes per line | -c n |
| Binary digits dump (rather than hexdump) | -b |
| Stop after dumping n bytes | -l n |
| Skip first n bytes | -s n |
| Output in C include file style | -i |
| Reverse operation; Convert hexdump back to binary | -r -p |
Display files in hexadecimal with hexdump:
| Output in offset+hex+ASCII format | -v -C |
| Output in specfic [format string]. This option can be repeated |
-v -e ' [iterations]/[byte_count] "[format string]" ' |
| Stop after dumping n bytes | -n n |
| Skip first n bytes | -s n |
Base-64 encoding and decoding with base64
Dislpay process status with ps
The source code of ps can be found here The GNU ps accepts three types of options:- UNIX, which must be preceded by a dash.
- GNU, which must be preceded by two dashes.
- BSD, which must NOT be preceded by any dash.
| Print all processes. | -A -e |
| Print in long format. | -l l |
| Print in full format. | -f |
| Print in extra long format. | -F |
| Print process hierarchy (forest). | -H --forest f |
| Show threads. | -L -T |
| Show threads as processes. | H |
| Show threads after processes. | m -m |
| Print all processes. | axu |
| Print all processes associated with this terminal. | T |
| Print details of process pid. | -w -w -fp pid |
ps -eo "%fmt1 %fmt2 ..."where %fmt1, %fmt2 can be
%a Command-line arguments %C Ratio of "CPU time" to "Wall clock time" in % %c Name of the executable %G Effective group %g Real group %n Nice value %P Parent process ID %p Process ID %r Process group ID %t Wall clock time %U Effective user %u Real user %x CPU time %y Controlling terminal name (tty) %z Total VM size in KBCustomize the output (Standard format):
ps -eo fmt1,fmt2 ... --sort fmtn,fmtm ...
where fmt1, fmt2 ... can be
%cpus Ratio of "CPU time" to "Wall clock time" in % %mem Ratio of "RSS" to "Physical memory" in % args Command-line arguments blocked Mask of the blocked signals in hexadecimal format bsdstart Start time of the process bsdtime Accumulated CPU time (user + system) c CPU utilization (integer part) caught Mask of the caught signals in hexadecimal format class Scheduling class of the process cls Scheduling class of the process cmd Command-line arguments comm Name of the executable cputime Accumulated CPU time in "[dd-]hh:mm:ss" format drs Data section resident set size in KB egid Effective group ID eip Instruction pointer esp Stack pointer etime Wall clock time euid Effective user ID f Flags associated with the process flag Flags associated with the process flags Flags associated with the process fname Name of the executable (only first 8 bytes) gid Effective group ID group Effective group lrs Dynamic libraries resident set size in KB lstart Start time of the thread lwp Thread ID ni Nice value nice Nice value nlwp Number of threads nwchan Address of the kernel function where the process is sleeping pcpu Ratio of "CPU time" to "Wall clock time" in % pending Mask of the pending signals in hexadecimal format pgid Process group ID pid Process ID pmem Ratio of "RSS" to "Physical memory" in % policy Scheduling class of the process ppid Parent process ID pri Priority (higher number means lower priority) psr CPU core that process is currently assigned to rgroup Real group rss Resident set (real memory) size in KB ruser Real user s Process state sched Scheduling class of the process sig Mask of the pending signals in hexadecimal format size Space that would be required if the process is swapped out spid Thread ID stackp Address of the bottom (start) of stack state Process state stime Start time of the process sz Space that would be required if the process is swapped out tid Thread ID time CPU time thcount Number of threads trs Text section resident set size in KB tty Controlling terminal name (tty) user Effective user vsz Total VM size in KB wchan Name of the kernel function where the process is sleeping (waiting channel)Process scheduling classes:
FF First in-first out RR Round robin TS Time sharing (default)Process state codes:
+ Is in the foreground process group. < High-priority (not nice to other users). D Uninterruptible sleep (usually I/O). l Is multi-threaded (using CLONE_THREAD, like NPTL pthreads do). L Has pages locked into memory (for real-time and custom I/O). N Low-priority (nice to other users). R Running/runnable (on run queue). s Session leader. S Interruptible sleep (waiting for an event to complete). T Stopped, either by a job control signal or because it is being traced. Z Defunct/zombie process, terminated but not reaped by its parent.
Process related utilities
| Display which processes are using a specified file, file system, or socket. | fuser lsof (lsof source code is here) |
| Display which processes are listening at specified port num. | lsof -i :num |
| Look up processes by name (or regular expression) | pgrep pidof |
| Display process tree | pstree |
| Kill processes by name | killall
pkill |
| Peek at file descriptors of a process (It attaches to a process and intercepts all reads and writes to file descriptors) |
peekfd |
| Display files currently opened by process foo or PID num | lsof -c foo lsof -p num |
| Display the statistics of a process | prtstat pidstat |
| Display the memory map of a process | pmap |
| Display Linux slab cache information in real time | slabtop |
| Display per CPU statistics in real time | mpstat 1 |
| Display system activities in real time | sar |
| Run a command with a time limit | timeout |
| Run a command with modified I/O stream buffering | stdbuf |
| Run a command with modified environmental variables | env |
Display processes with top (Table Of Process)
| Show threads | H |
| Show command-line or program name | c |
| Field selector | f |
| Sort by which field selector | F |
| User selector | u |
| Show idle tasks | i |
| Reverse sort toggle | R |
Dealing with executable binaries
| Display static symbol table | nm -n a.out
readelf -s a.out
objdump -t a.out
|
| Display dynamic symbol table | nm -Dn a.out
readelf -s a.out
objdump -T a.out
|
| Display undefined symbols in an executable binary | nm -u a.out
readelf -s a.out|grep UND
objdump -T a.out|grep \*UND\*
|
| Display dynamic relocation table | readelf -r a.out
objdump -R a.out
|
| Display static relocation table | objdump -r a.out
|
| Display globally defined functions in an executable binary | nm -an a.out|grep ' T '
readelf -s a.out|grep 'FUNC '|grep 'GLOBAL '
|
| Display locally defined functions in an executable binary | nm -an a.out|grep ' t '
readelf -s a.out|grep 'FUNC '|grep 'LOCAL '
|
| Display symbols along with their file name and line number | nm -anl a.out
The code must be compiled with -g command-line option.
|
| Display ELF section names, attributes, sizes | readelf -t a.out
|
| Display section names of ELF sections which contain code | objdump -h a.out | grep -B 1 CODE
|
| Display the .comment section (as NULL-terminated strings) | readelf -p .comment a.out
|
Disassembling with objdump
| Disassemble | -d |
| Disassemble all contents, not just those expected to contain code | -D |
| When disassembling, display source code intermixed with disassembly, if possible | -S |
| Display debugging information | --dwarf=decodedline |
| Display dynamic relocation records information | -R |
| Display information only for section sec | -j sec |
| Demangle C++ names | -C |
| Use Intel syntax for output | -M intel |
| Display function names and line numbers | -l |
| Display information starting at address 0x12345 | --start-address=0x12345 |
| Stop displaying information at address 0x12345 | --stop-address=0x12345 |
