top of page

Exploring Filesystem with debugfs


Exploring Filesystem with debugfs

The debugfs tool provides a powerful way to interact with the ext2, ext3, and ext4 filesystems and gain insights into the structure and metadata of your files. In this blog i.e Exploring Filesystem with debugfs, we'll walk through a session with debugfs, analyzing various commands and their outputs.


1.Launching debugfs:

[root@siddhesh ~]# debugfs
debugfs 1.46.5 (30-Dec-2021)
debugfs:  open /dev/sda3
debugfs:

The session begins by launching debugfs and opening the filesystem on the device /dev/sda3.


2.Understanding Filesystem Stats:

debugfs:  stats
Filesystem volume name:   <none>
Last mounted on:          /
Filesystem UUID:          201e782a-9d04-4aaa-b0c0-26c965386fbe
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent 64bit flex_bg sparse_super large_file huge_file dir_nli
nk extra_isize metadata_csum
Filesystem flags:         signed_directory_hash
Default mount options:    user_xattr acl
Filesystem state:         clean
Errors behavior:          Continue
Filesystem OS type:       Linux
Inode count:              13107200
Block count:              52428800
Reserved block count:     2621440
Overhead clusters:        1100294
Free blocks:              37886330
Free inodes:              12328029
First block:              0
Block size:               4096
Fragment size:            4096
Group descriptor size:    64
Reserved GDT blocks:      1024
Blocks per group:         32768
Fragments per group:      32768
Inodes per group:         8192
Inode blocks per group:   512
Flex block group size:    16
Filesystem created:       Wed Aug  9 12:16:49 2023
Last mount time:          Tue Jan 23 13:48:14 2024
Last write time:          Tue Jan 23 13:48:03 2024
Mount count:              33
Maximum mount count:      -1
Last checked:             Wed Aug  9 12:16:49 2023
Check interval:           0 (<none>)
Lifetime writes:          593 GB

The stats command provides an overview of the filesystem's statistics, offering valuable information like the total number of inodes, blocks, and more. Let's go through each parameter in the output:


Filesystem volume name: <none>

Indicates the name of the volume associated with the filesystem. In this case, it is not specified.


Last mounted on: /

Shows the directory where the filesystem was last mounted.


Filesystem UUID: 201e782a-9d04-4aaa-b0c0-26c965386fbe

Universally Unique Identifier assigned to the filesystem.


Filesystem magic number: 0xEF53

A hexadecimal number that identifies the filesystem type. In this case, it corresponds to the ext4 filesystem.


Filesystem revision #: 1 (dynamic)

Indicates the revision number of the filesystem. In this case, it's a dynamic revision.


Filesystem features:

Lists various features supported by the filesystem, such as journaling, extended attributes, inode resizing, directory indexing, file types, and others.


Filesystem flags: signed_directory_hash

Flags associated with the filesystem, in this case, it indicates the presence of a signed directory hash.


Default mount options: user_xattr acl

The default mount options used when mounting the filesystem. In this case, it includes user extended attributes and access control lists (ACL).


Filesystem state: clean

Indicates the cleanliness of the filesystem, and in this case, it's clean.


Errors behavior: Continue

Specifies the behavior in the presence of errors. In this case, it continues despite errors.


Filesystem OS type: Linux

Indicates the type of operating system the filesystem is designed for.


Inode count: 13107200

The total number of inodes (data structures that store information about files) in the filesystem.


Block count: 52428800

The total number of blocks in the filesystem.


Reserved block count: 2621440

The number of blocks reserved for the filesystem.


Overhead clusters: 1100294

The number of clusters reserved for overhead.


Free blocks: 37886330

The number of free blocks in the filesystem.


Free inodes: 12328029

The number of free inodes in the filesystem.


First block: 0

The index of the first block in the filesystem.


Block size: 4096

The size of each block in bytes.


Fragment size: 4096

The size of each fragment in bytes.


Group descriptor size: 64

Size of the group descriptor in bytes.


Reserved GDT blocks: 1024

The number of blocks reserved for the group descriptor table.


Blocks per group: 32768

The number of blocks in each group.


Fragments per group: 32768

The number of fragments in each group.


Inodes per group: 8192

The number of inodes in each group.


Inode blocks per group: 512

The number of blocks reserved for inodes in each group.


Flex block group size: 16

The size of the flex block group.


Filesystem created: Wed Aug 9 12:16:49 2023

The timestamp indicating when the filesystem was created.


Last mount time: Tue Jan 23 13:48:14 2024

The timestamp indicating when the filesystem was last mounted.


Last write time: Tue Jan 23 13:48:03 2024

The timestamp indicating when the filesystem was last written to.


Mount count: 33

The number of times the filesystem has been mounted.


Maximum mount count: -1

The maximum number of times the filesystem can be mounted. -1 means no maximum limit.


Last checked: Wed Aug 9 12:16:49 2023

The timestamp indicating when the filesystem was last checked.


Check interval: 0 (<none>)

The interval between filesystem checks. In this case, it's set to <none>.


Lifetime writes: 593 GB

The total amount of data written to the filesystem over its lifetime.


3.Finding Inodes by Path:

debugfs:  ncheck 2099816
Inode    Pathname
2099816    /etc/group

Using ncheck, you can find the inode associated with a specific path. In this example, the inode 2099816 corresponds to the file /etc/group.


4.Listing Directory Entries:

debugfs:  ls

The ls command displays the directory entries within the filesystem. Each entry includes the inode number, file type, and name. This output provides a glimpse into the structure of the filesystem.


5.Examining File Attributes:

debugfs:  ex -l /etc/group
Level Entries       Logical            Physical Length Flags
0/ 0   1/  1     0 -     0 12177737 - 12177737      1
debugfs:

The ex command allows us to examine specific file attributes. Here, we explore the details of the /etc/group file, including its size, inode, and other metadata. Let's break down the information presented in the output:


Level:

Refers to the level of the file system. In this case, it is "0."


Entries:

Provides information about the number of entries.


Logical - Physical:

Represents the mapping between logical and physical block numbers in the filesystem.


Length:

Indicates the length of the file in terms of blocks.


Flags:

Specifies any flags or attributes associated with the file.


6.Listing Deleted Inodes

debugfs:  lsdel
Inode  Owner  Mode    Size      Blocks   Time deleted
1573400   1001 100644   5797      2/     2 Mon Oct 30 17:11:23 2023
1573403   1001 100644   5813      2/     2 Mon Oct 30 17:11:23 2023
10759555     76 100600  16896      6/     6 Wed Jan 17 10:43:51 2024
3 deleted inodes found.
debugfs:

The lsdel command reveals information about deleted inodes, including the inode number, owner, mode, size, blocks, and the time of deletion. This insight can be crucial for understanding the history of the filesystem.


The output provides information about three deleted inodes:


First Inode (1573400):

Owner: User with UID 1001

Mode: File with permissions 100644

Size: 5797 bytes

Blocks: 2 (indicated as a range)

Time deleted: Mon Oct 30 17:11:23 2023


Second Inode (1573403):

Owner: User with UID 1001

Mode: File with permissions 100644

Size: 5813 bytes

Blocks: 2 (indicated as a range)

Time deleted: Mon Oct 30 17:11:23 2023


Third Inode (10759555):

Owner: User with UID 76

Mode: File with permissions 100600

Size: 16896 bytes

Blocks: 6 (indicated as a range)

Time deleted: Wed Jan 17 10:43:51 2024


The information includes details about the deleted files, such as their ownership, permissions, size, block location, and the timestamp when they were deleted. The summary at the end states that three deleted inodes were found.

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page