View Compressed .Gz Files Without Uncompressing Using Z Commands Inwards Linux

How oft you lot bumped into a .gz file where you lot postulate to cheque the contents? I know I do quite often. Influenza A virus subtype H5N1 gz file is a compressed file created amongst gzip together with I didn’t knew better, I would re-create the file into some other folder, uncompress it together with and thus await into the contents. Is at that spot a way to avoid these unnecessary decompression together with waste matter time? Of class at that spot is. In Linux, you lot tin terminate persuasion contents of a compressed .gz file without uncompressing (uncompress on the wing truly or inwards temp directory) which makes perfect feel for those who bargain amongst large log files together with does forensic stuffs. The way it’s done is past times using Z commands.

Z commands for example: zcat allows you lot to persuasion contents of a compressed file, zless or zmore allows you lot to do paging (page past times page viewing of a file), zgrep or zegrep allows you lot to search inside a compressed file, zdiff or zcmp allows you lot to compare ii files… Sounds good? I bet it does. Welcome to Z commands that you lot tin terminate occupation to view, search, compare together with page compressed files without wasting fourth dimension uncompressing.

First of all, lets observe some compressed files to run into what it truly looks like.

Compressed files:

Open a terminal together with browse to /var/log. /var/log is where nearly of your logs files volition larn past times default unless otherwise specified past times an application/system. Perform a listing (ls) ascendancy to run into contents of that directory. As you lot tin terminate see, many .gz files inwards there.

root@kali: # cd /var/log
root@kali:/var/log# ls
alternatives.log    debug           kern.log.1      mysql.log.4.gz      syslog.6.gz
alternatives.log.1  debug.1         kern.log.2.gz   mysql.log.5.gz      syslog.7.gz
apache2             debug.2.gz      kern.log.3.gz   mysql.log.6.gz      sysstat
apt                 debug.3.gz      kern.log.4.gz   mysql.log.7.gz      tor
aptitude            dmesg           lastlog         news                unattended-upgrades
aptitude.1.gz       dmesg.0         lpr.log         nginx               user.log
auth.log            dmesg.1.gz      mail.err        ntpstats            user.log.1
auth.log.1          dmesg.2.gz      mail.info       openvas             user.log.2.gz
auth.log.2.gz       dmesg.3.gz      mail.log        pm-powersave.log    user.log.3.gz
auth.log.3.gz       dmesg.4.gz      mail.warn       pm-powersave.log.1  user.log.4.gz
auth.log.4.gz       dpkg.log        messages        postgresql          wtmp
bootstrap.log       dpkg.log.1      messages.1      pycentral.log       wtmp.1
btmp                dradis          messages.2.gz   samba               wvdialconf.log
btmp.1              exim4           messages.3.gz   speech-dispatcher   Xorg.0.log
chkrootkit          faillog         messages.4.gz   stunnel4            Xorg.0.log.old
ConsoleKit          fontconfig.log  mysql           syslog              Xorg.1.log
daemon.log          fsck            mysql.err       syslog.1            Xorg.1.log.old
daemon.log.1        gdm3            mysql.log       syslog.2.gz
daemon.log.2.gz     inetsim         mysql.log.1.gz  syslog.3.gz
daemon.log.3.gz     installer       mysql.log.2.gz  syslog.4.gz
daemon.log.4.gz     kern.log        mysql.log.3.gz  syslog.5.gz

I volition occupation dmesg together with dmesg.1.gz files for this exercise.

Now unremarkably if you lot desire to run into the contents of dmesg file, you lot would occupation truthful cat ascendancy together with pipage it to either to a greater extent than or less for pagination:

root@kali:/var/log# truthful cat dmesg | more
(output - truncated)
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.14-kali1-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5) ) #1 SMP Debian 3.14.5-1kali1 (2014-06-07)
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-3.14-kali1-amd64 root=UUID=9f174fa5-0c59-4024-b307-463b7bc1752d ro initrd=/install/gtk/initrd.gz tranquility nouveau.modeset=0
[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009efff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009f000-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000e4000-0x00000000000fffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000bd77ffff] usable
[    0.000000] BIOS-e820: [mem 0x00000000bd780000-0x00000000bd78dfff] ACPI data
[    0.000000] BIOS-e820: [mem 0x00000000bd78e000-0x00000000bd7cffff] ACPI NVS
[    0.000000] BIOS-e820: [mem 0x00000000bd7d0000-0x00000000bd7dffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000bd7ed000-0x00000000bdffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fed20000-0x00000000fed3ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000ffb00000-0x00000000ffffffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000023fffffff] usable
[    0.000000] NX (Execute Disable) protection: active
[    0.000000] SMBIOS 2.6 present.
[    0.000000] DMI: Acer Veriton S680G      /Veriton S680G, BIOS P01-B0C2       03/25/2011
[    0.000000] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
[    0.000000] e820: take [mem 0x000a0000-0x000fffff] usable
[    0.000000] No AGP distich found
--More--

root@kali:/var/log# truthful cat dmesg | less

But what happens when you lot attempt to persuasion contents of a compressed file such equally dmesg.1.gz

root@kali:/var/log# truthful cat dmesg.1.gz | more
j_�Sdmesg.0��$�,�ה8�&e� 9��4j�q�� ��F�Y��QH�.U;O�^L*��8�K7��k;tI���G�����I�ft�qE���5�ճ�hVG�d��P$�����X8��dȉ�K�ˏ �fv|\fO�g��w���g    ��3�7�u�2X�K�..3e    ���:q=�.sI�zM}�CB�vܫ
3q���˚���M��:�G�<�+٤�"`'�Y^��`    �'yf�IpLm�y��.\���5U�4�`�����阸vf���xû�uv���}�ꀗ�u8��+�1W�
I��1�
Ǹ��
         �[4��wO�6w���p�fw���l��9�����I�    ���9�������6��D��@^Lr�Y�N2��{�ﰄ��?:�M�����ʳ
    >'2�h�J�9

Well, that wasn’t helpful, wasn’t it? It’s inwards non-human readable format. This is where Z commands comes to rescue.

Use zcat to persuasion compressed files

What you lot do is pretty much add together z infront of your truthful cat command. See instance below:

root@kali:/var/log# zcat dmesg.1.gz | more
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.14-kali1-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5) ) #1 SMP Debian 3.14.5-1kali1 (2014-06-07)
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-3.14-kali1-amd64 root=UUID=9f174fa5-0c59-4024-b307-463b7bc1752d ro initrd=/install/gtk/initrd.gz tranquility nouveau.modeset=0
[    0.000000] e820: BIOS-provided physical RAM map:

That is thus easy…

Using zcat to persuasion files instead of cat

By this time, you lot are already getting the hang of it. But what happens if you lot desire to persuasion a regular (uncompressed file) using zcat?

root@kali:/var/log# zcat dmesg

gzip: dmesg: non inwards gzip format

Well, that wasn’t really helpful. But there’s a way to a greater extent than or less that, just occupation a -f flag which volition allow you lot to persuasion whatever file compressed or non uzing zcat.

root@kali:/var/log# zcat -f dmesg | more
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.14-kali1-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5) ) #1 SMP Debian 3.14.5-1kali1 (2014-06-07)
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-3.14-kali1-amd64 root=UUID=9f174fa5-0c59-4024-b307-463b7bc1752d ro initrd=/install/gtk/initrd.gz tranquility nouveau.modeset=0

Much better. The argue I am showing this is because at nowadays you lot tin terminate write a script to persuasion files, search files irrespective of compression.

Using zless together with zmore to persuasion file page past times page

So far every ascendancy I’ve shown uses less or to a greater extent than to persuasion contents page past times page. Do nosotros truly postulate to occupation pipage ascendancy amongst to a greater extent than or less? No, nosotros don’t. We tin terminate only occupation zless or zmore to persuasion a compressed file without using zcat.

You tin terminate paginate a compressed file amongst zless ascendancy or zmore ascendancy equally shown below.

root@kali:/var/log# zless dmesg.1.gz 
(or)
root@kali:/var/log# zmore dmesg.1.gz

The best purpose of using zless or zmore? You tin terminate paginate uncompressed files inwards a similar manner.

root@kali:/var/log# zmore dmesg
(or)
root@kali:/var/log# zless dmesg

Fancy… really fancy.

Uzing zgrep together with zegrep to search inside compressed files

Using zgrep together with zegrep you lot tin terminate search contents inside a compressed file. Let’s tell nosotros desire to search the give-and-take usb inwards our dmesg.1.gz file. We tin terminate occupation zgrep for that.

root@kali:/var/log# zgrep usb dmesg.1.gz | more
[    0.776576] usbcore: registered novel interface driver usbfs
[    0.776584] usbcore: registered novel interface driver hub
[    0.782425] usbcore: registered novel device driver usb
[    0.996785] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[    0.996790] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    0.996793] usb usb1: Product: EHCI Host Controller
[    0.996797] usb usb1: Manufacturer: Linux 3.14-kali1-amd64 ehci_hcd
[    0.996800] usb usb1: SerialNumber: 0000:00:1a.0
[    1.012862] usb usb2: New USB device found, idVendor=1d6b, idProduct=0002
[    1.012867] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1

But the give-and-take usb is non the same equally USB inwards Linux. So nosotros tin terminate fifty-fifty specify -i flag to ignore cases

root@kali:/var/log# zgrep -i usb dmesg.1.gz | more
[    0.776552] ACPI: motorbus type USB registered
[    0.776576] usbcore: registered novel interface driver usbfs
[    0.776584] usbcore: registered novel interface driver hub
[    0.782425] usbcore: registered novel device driver usb
[    0.782698] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    0.981702] ehci-pci 0000:00:1a.0: novel USB motorbus registered, assigned motorbus pose out 1

Now what if you lot desire to occupation a complex regular expression? In that instance you lot perchance desire to occupation zegrep (similar to egrep) to allow to a greater extent than flexibility, that agency you lot tin terminate occupation regular expressions. In my instance I volition just occupation a judgement (zgrep volition operate also amongst a uncomplicated sentence)

root@kali:/var/log# zegrep 'New USB device found' dmesg.1.gz | more
[    0.996785] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[    1.012862] usb usb2: New USB device found, idVendor=1d6b, idProduct=0002
[    1.441911] usb 1-1: New USB device found, idVendor=8087, idProduct=0020
[    1.686156] usb 2-1: New USB device found, idVendor=8087, idProduct=0020
[    2.067918] usb 2-1.5: New USB device found, idVendor=148f, idProduct=2870
root@kali:/var/log#

Using zdiff together with zcmp to compare files

Using zdiff together with zcmp you lot tin terminate lav compare ii compressed files without having to uncompress. It industrial plant just same equally using diff command.

root@kali:/var/log# zdiff dmesg.1.gz dmesg.2.gz | more
165,166c165,166
< [    0.000000] tsc: Detected 2792.732 MHz processor
< [    0.000024] Calibrating delay loop (skipped), value calculated using timer 
frequency.. 5585.46 BogoMIPS (lpj=11170928)
---
> [    0.000000] tsc: Detected 2792.959 MHz processor
> [    0.000023] Calibrating delay loop (skipped), value calculated using timer 
frequency.. 5585.91 BogoMIPS (lpj=11171836)
169c169
< [    0.002649] ACPI: All ACPI Tables successfully acquired
---
> [    0.002648] ACPI: All ACPI Tables successfully acquired
171,175c171,175
< [    0.002771] AppArmor: AppArmor disabled past times kick fourth dimension parameter
< [    0.002772] Yama: disabled past times default; enable amongst sysctl kernel.yama.*
< [    0.003175] Dentry cache hash tabular array entries: 1048576 (order: 11, 8388608 by
tes)
< [    0.004583] Inode-cache hash tabular array entries: 524288 (order: 10, 4194304 byte
s)
< [    0.005223] Mount-cache hash tabular array entries: 16384 (order: 5, 131072 bytes)
---
> [    0.002770] AppArmor: AppArmor disabled past times kick fourth dimension parameter
> [    0.002771] Yama: disabled past times default; enable amongst sysctl kernel.yama.*

Uzing zcmp, you lot tin terminate compare files – this is to a greater extent than compact than using zdiff

root@kali:/var/log# zcmp dmesg.1.gz dmesg.2.gz 
/dev/fd/5 - differ: byte 10694, trouble 165
root@kali:/var/log#

Conclusion

Thanks for reading. Z commands are really useful together with powerful equally you lot tin terminate occupation them inwards scripts directly.

This article was inspired past times Sathiya Moorthy’s post on the GeekStufff.

Please part together with similar us on Facebook/Twitter.

Buat lebih berguna, kongsi: