It’s time for filtering content, guyss. Heyyy everyone, welcome back to the “Linux Basics For Hackers” series! I hope you’re having a good week and have had a chance to play around with the commands from our last session.
In the last article, Information Gathering in Linux | Part 1, we really got our hands dirty, didn’t we? We learned how to pull out all sorts of juicy details from our system. We used lsblk to peek at our storage devices, lsusb to see what’s plugged in, lspci to get the lowdown on our hardware, and the mighty lsof to check which files are being held open.
If you followed along, you probably noticed something… we got a lot of output. Like, a torrent of text flooding the terminal. It’s great to have all that information, but it’s a bit like trying to drink water from a fire hose, right? 😅
That’s the exact problem we’re going to start solving today. What’s the point of being a master information gatherer if you can’t sift through it all to find the gold? This is where the art of filtering content in Linux comes in, and it’s a skill that separates the beginners from the pros.
In this article, we’ll look at the very first layer of filtering: simply viewing large amounts of text in a manageable way. We’ll cover four fundamental commands: more, less, head, and tail. Think of these as your magnifying glass and reading glasses for the command line.
And stick around, because in the next part, we’ll take it a step further and learn how to chop up, rearrange, and count that data with commands like sort, cut, and wc. But first, let’s learn how to walk before we run.
Ready? Grab your favourite beverage (mine’s coffee, obviously ☕️) and let’s dive in.
The Problem: Terminal Overload
Let’s start with a practical example. Remember lsof? Let’s run it without any arguments.
lsof
Woah. Did you see that? Hundreds, maybe thousands of lines just flew past your screen at lightning speed. By the time you can even think about reading it, it’s gone. All you can see is the last page of the output. That’s… not very useful, is it?
This happens with log files, configuration files, and the output of many system commands. You have a mountain of text, but you can only see the peak. How are you supposed to explore the rest of it?
The Pagers: more and less
To solve this, Linux provides us with programs called “pagers.” Their job is simple: take a large chunk of text and display it one page (or one screenful) at a time. The two classic pagers you absolutely must know are more and less.
more: The Old-School Original
The more command is the original pager. It’s simple, reliable, and you’ll find it on virtually any Unix-like system, no matter how old.
Let’s try our lsof command again, but this time, we’ll “pipe” its output into more. That vertical bar | is the pipe symbol, and it’s one of the most powerful concepts in Linux. It tells the shell to take the output of the command on the left and use it as the input for the command on the right.
lsof | more
Magic! Instead of everything flying by, the output stops after filling the screen once. At the bottom left, you’ll see --More-- with a percentage telling you how far into the text you are.
Now you’re in control. Here’s how to navigate:
- Press the
Spacebarto move down one full page. - Press
Enterto move down just one line at a time. - Press
qto quit and return to your prompt.
Go on, try it. It’s a much more civilised way to read, isn’t it?
You can also use more directly on a file. For example, to read a system log file:
more /var/log/syslog
One limitation of more: It’s a one-way street. You can only move forward. You can’t scroll back up to see something you missed. This is where its younger, more powerful sibling comes in.
less: The Souped-Up Successor
There’s a classic geek joke: “What’s the difference between more and less? less is more.”
And it’s true! The less command does everything more does, but adds a whole bunch of extra features that make it far more useful. Honestly, 99% of the time, you’ll be using less. ( or maybe not 😂 if you are “zamin se juda hua insan hahah” )
Let’s try our pipe example again, this time with less.
lsof | less
The interface looks similar, but the real power is in the navigation:
Spacebar/Enter: Work the same as inmore(page/line forward).Up Arrow/Down Arrow: You can move up and down line-by-line!PageUp/PageDown: You can scroll up and down a full page./(Forward Slash): This is a game-changer. Press/, type a word or phrase (e.g.,/chrome), and pressEnter.lesswill search forward and highlight every instance of that term. Pressnto jump to the next match andNto jump to the previous one.q: Quits the view.
The ability to scroll backwards and search makes less infinitely more practical for debugging and analysis.
Just like more, you can use it directly on files:
less /var/log/auth.log
A useful flag for less: Try the -N flag. It adds line numbers to the output, which is super helpful for pinpointing exact locations in a file.
less -N /var/log/auth.log
So, the takeaway is: know that more exists, but make less your default pager. It’s the standard for a reason.
The Snippet Tools: head and tail
Pagers are great for when you want to explore an entire file. But sometimes, you don’t need the whole story. Sometimes, you just want the beginning or the end. That’s where head and tail are your best friends.
head: A Quick Peek at the Beginning
The head command, as the name suggests, shows you the top part of a file. By default, it displays the first 10 lines.
This is incredibly useful for quickly identifying a file. What is this script? What does this log file start with? head gives you a quick answer without opening the whole thing.
# Show the first 10 lines of the system log
head /var/log/syslog
The real power comes from customising the output with flags. The -n flag lets you specify exactly how many lines you want to see.
# Show the first 5 lines
head -n 5 /var/log/syslog
# You can also write it without the space, which is common
head -5 /var/log/syslog
Another cool flag is -c (for bytes). If you want to see the first 100 bytes of a file, you can do this:
# Show the first 100 bytes
head -c 100 /etc/services
This can be handy when you’re dealing with binary files or data where line breaks aren’t relevant.
tail: The Latest Scoop
If head is for introductions, tail is for the latest news. It shows you the end of a file, which is often the most interesting part, especially in cybersecurity. Why? Because logs are written chronologically. The newest events—the latest login attempts, the most recent errors, the last web request—are all at the bottom of the file.
By default, tail also shows the last 10 lines.
# Show the last 10 lines of the authentication log
tail /var/log/auth.log
And just like head, you can use the -n flag to specify the number of lines.
# Show the last 20 lines
tail -n 20 /var/log/auth.log
But now for the killer feature. The one command that every sysadmin, developer, and hacker uses every single day: tail -f.
The -f flag stands for “follow.” When you use it, tail will display the last few lines of a file and then wait. It keeps the file open, and as new lines are added to the file by another process, they will appear in your terminal in real-time.
This is how you watch things happen live on a system.
Imagine you’re monitoring a web server’s access log to see who is visiting your site. You would run:
tail -f /var/log/apache2/access.log
Now, open a web browser and visit the website hosted on that server. You’ll see your access request pop up in the terminal instantly! To stop following the file, just press Ctrl+C. This is insanely powerful for live monitoring and troubleshooting.
Tying It All Together
These commands are powerful on their own, but they become even better when you combine them. The pipe | operator is the glue that connects our Linux tools.
- Want to see the 20 oldest processes on your system? You could combine
pswithhead:
# 'aux' lists all running processes
# We pipe it to head to only see the first 20 lines (including the header)
ps aux | head -n 20
- Want to see the 20 most recently modified files in a directory? Combine
lsandtail:
# 'ls -lt' lists files sorted by modification time (newest first)
# We pipe that to tail to see the last 20 (which would be the oldest in this sort order)
# Let's reverse that to get the newest!
ls -lt /etc/ | head -n 20
Wait, the example above shows the 20 newest, because -t sorts by time. If we wanted the oldest, we’d use tail. See how you can start to think with these tools?
What’s Next?
Phew, that was a lot, but we’ve built a solid foundation. You now know how to take a massive, overwhelming stream of text and view it calmly with less. You know how to grab a quick snapshot of the beginning with head or watch live updates with tail -f.
You’ve taken your first crucial step in mastering filtering content in Linux.
In our next article, “Filtering Content Part-2,” we’re going to get even more surgical. Now that we can view the data properly, we’ll learn how to manipulate it. We’ll explore:
sort: To order our data alphabetically or numerically.cut&column: To extract only the specific columns of data we care about.tr: To translate or delete characters.wc: To count lines, words, and characters.
By the end of the next article, you’ll be able to build some seriously impressive command-line pipelines to find exactly what you’re looking for. Stay curious, and happy hacking!
FAQs
1. What is the main difference between more and less in Linux? The biggest difference is that less allows you to scroll both forwards and backwards through the text (using arrow keys, PageUp/PageDown), while more only allows you to move forward. less also includes powerful features like searching for text within the document. In short, less is a more modern and feature-rich version of more.
2. How do you use the tail -f command? The tail -f (follow) command is used for real-time monitoring of files, typically log files. You run tail -f [filename], and it will display the last 10 lines of the file and then continuously output any new lines that are added. This is essential for watching live events like web server traffic or application errors. To stop following the file, you press Ctrl+C.
3. Can head and tail be used together? Yes, and it’s a common technique! You can use a pipe to combine them to extract a specific section from the middle of a file. For example, to get lines 11-20 from a file, you could do: head -n 20 filename | tail -n 10. This first gets the top 20 lines, and then from that output, it gets the last 10 lines, effectively giving you lines 11-20.
4. Why are these filtering commands important for cybersecurity? In cybersecurity, you are constantly analysing massive amounts of data from logs (auth.log, syslog, web server logs), tool outputs (from Nmap, Wireshark, etc.), and configuration files. It’s impossible to analyse this data effectively if you can’t navigate it. less helps you search for specific indicators of compromise (like a suspicious IP address), and tail -f is critical for live monitoring of systems to detect an ongoing attack.
5. How do I exit from the less or more command? In both more and less, you can exit the pager and return to your command prompt by simply pressing the q key (for “quit”).
