Michael Hogg - Other - Mac OS X Terminal commands guide


	Overview

	Game of Life

	TV episodes

	Overview

	Star Trek TNG

	The Trap Door

	Willo the Wisp


	OS X Terminal

	AppleScripts

	Foxy :-)

	Pi to 100

	Links

Mac OS X Terminal commands guide

Page under construction since 16th June 2008...

The Mac OS X Terminal is an extremely useful and powerful application, but many Mac users are put off by the fact that all interaction takes place via typed commands due to the lack of a GUI. I am therefore creating this guide to illustrate just how useful the Terminal can be.

For example, if a CD or DVD has become stuck in the computer and cannot be ejected in the normal way, the drutil command can be used to force-eject it. If you’re trying to eject an external hard disk in the Finder, but you get an error message saying “The disk is in use and could not be ejected”, the lsof command can help you determine which applications you need to quit, to allow the disk to be ejected.

If you have never used the Terminal before, then check out some of these introductory articles: 1, 2, 3. (Note that, since Mac OS X is based on Unix, many Unix tutorial articles are also applicable to the Terminal.) The three commands which you should learn first are:

ls	List the contents of a directory
cd	Move to a different directory
sudo	Authenticate yourself as a superuser to gain more security privileges

You should also learn the four special directory symbols:

.	Current directory
..	Parent directory
/	Root directory
~	Home directory

It’s also useful to know that OS X stores three different timestamps for every file:

ctime	inode change time (last change time of the file’s owner, permissions, etc)
atime	Access time (when the data was last accessed)
mtime	Modification time (when the actual contents were last modified)

Many Terminal commands have a very large number of available options, so I will only be documenting the options which I find most useful. If you want more detailed information about a command, consult its manual page.

Table of contents

diskutil	Interact with disks and volumes/partitions
drutil	Interact with CD or DVD drives
file	Determine the type of a file
find	Search for files
fs_usage	Display real-time filesystem activity
ipfw	Limit network bandwidth used by applications
ls	List the contents of a directory
lsof	List files which are currently open
screencapture	Take a screenshot
ssh	Secure SHell (create an encrypted connection)

diskutil – View manual page

Description

Interact with volumes (also known as partitions) and disks.

Syntax

diskutil list

Print a complete list of all disks and all of their volumes.

diskutil verb device

Perform the specified verb on the specified device.

Verbs

info	Get detailed information about a specific disk or volume.
unmount	Unmount a single volume.
unmount force	Force-unmount a single volume. Warning: this may corrupt files which are currently being written to.
unmountDisk	Unmount an entire disk (all volumes).
unmountDisk force	Force-unmount an entire disk (all volumes). Warning: this may corrupt files which are currently being written to.
eject	Eject a disk. Removable media will become eligible for safe manual removal, and automatically-removable media will begin its physical (motorised) eject sequence.
mount	Mount a single volume.
mount readOnly	Mount a single volume with the file system in read-only mode, even if the volume’s underlying file system, device or media supports writing. Even the super-user may not write to it.
mountDisk	Mount an entire disk (all mountable volumes).

Devices

A device can be a single volume or an entire disk. Running the command diskutil list will list all the disks and volumes currently available. From this listing, the identifier of each disk and volume can be obtained.

A disk identifier is of the form /dev/disk*. For example, /dev/disk0.

A volume identifier is of the form disk*s*. For example, disk0s3.

If a volume is mounted, then it can be referred to using its volume mount point, of the form "/Volumes/*". For example, "/Volumes/External HD".

Examples

diskutil unmount force "/Volumes/External HD"

Force-unmount the single volume "/Volumes/External HD". Warning: this may corrupt files which are currently being written to.

diskutil eject /dev/disk0

Eject the disk /dev/disk0.

diskutil mount readOnly disk0s3

Mount the single volume disk0s3 with the file system in read-only mode.

drutil – View manual page

Description

Interact with CD or DVD drives, including force-ejecting a disc.

Syntax

drutil verb

Perform the specified verb on the default CD/DVD drive.

drutil -drive id verb

Perform the specified verb on the drive with the specified id number.

Verbs

discinfo	Displays detailed information about present media.
getconfig type	Displays a list of features and profiles for the drive, based on the type, which can be current or supported.
info	Displays various pieces of information for each drive, including how it’s connected to the computer and a summary of capabilities.
list	Lists all burning devices connected to the machine. The device ID numbers which are listed can then be used with the -drive option.
status	Displays detailed media-specific information.
tray open	Opens a drive’s tray (if no media is present and the drive has a tray capable of motorised eject).
tray close	Closes a drive’s tray (if the drive has a tray capable of motorised inject).
tray eject	Ejects media from the drive (if the drive has a tray capable of motorised eject). If no media is present, this is equivalent to tray open. If media is present and can be unmounted, it will be unmounted and then ejected. If media is present but cannot be unmounted, the eject will fail.

Examples

drutil tray eject

Force-eject the disc in the default drive, if possible.

drutil -drive 1 status

Displays detailed media-specific information for the media in the drive with ID number 1.

file – View manual page


	Description				Determines the type of a file, by performing filesystem tests, magic number tests and language tests (the filename extension is ignored). This command is very useful if a file’s name has lost its extension, or has been given an incorrect extension.



	Wikipedia				Article



	Syntax				file filename Attempt to determine the type of the file specified by filename.



	Examples				file MyMovie.mov Outputs the message ISO Media, Apple QuickTime movie file MyMovie.mp4 Outputs the message ISO Media, MPEG v4 system, version 2 file MyEssay.doc Outputs the message Microsoft Office Document file MyPhoto.jpg Outputs the message JPEG image data, JFIF standard 1.01 file MyDocument.pdf Outputs the message PDF document, version 1.3

find – View manual page

Description

Searches in the specified root directory (including subdirectories), and lists all files which match the search criteria.

Wikipedia

Article

Syntax

find root_directory search_criteria

root_directory Files and subdirectories in this root directory will be searched.
search_criteria Only files which match all these criteria will appear in the search results.

To search in directories which require high security privileges, use:

sudo find root_directory search_criteria

Search criteria

-name pattern	The filename must match pattern (case sensitive). This can be an exact string, such as "readme.txt", or you can use the special wildcards, including * (matches any zero or more characters) and ? (matches any one character). These wildcards may be matched explicitly by escaping them with \. For example, -name "*.txt" matches all files ending in .txt, and -name "questions\?.txt" matches files with the exact name questions?.txt. More information on patterns can be found here and here.
-iname pattern	Like -name, but the match is case insensitive.
-maxdepth n	The depth of the file into the directory tree must not be greater than n directories. For example, -maxdepth 1 will only match files in the current directory, and -maxdepth 2 will match files in the current directory and one level of subdirectories.
-size Rnc	If R is not supplied, then the file’s size must be exactly n bytes. If R is +, then the file’s size must be more than n bytes. If R is -, then the file’s size must be less than n bytes. For example, -size 1024c matches files of exactly 1024 bytes, and -size +2048c matches files larger than 2048 bytes.
-newerXt timestamp	The file must have a newer atime (X=a), ctime (X=c) or mtime (X=m) than timestamp. There are many valid formats for timestamp, including absolute (eg. '22 Jun 2006 7:40pm') and relative (eg. '1 minute ago', '3 hours ago', etc). More information on timestamp formats can be found here.
-type filetype	The file must be of type filetype. The possible types include d (directory), f (normal file) and l (symbolic link, also known as an alias or shortcut).

Any of the above criteria can have -not added before it, to reverse the condition. For example, -not -name "*.txt" will match all files whose names don’t end in .txt, and -not -newermt '22 Jun 2006' will match all files whose modification times are not later than 22nd June 2006.

-ls	Print detailed information for each matching file.

Examples

find ~ -ls -iname "data*" -maxdepth 3

Search from the home directory, and print detailed information for all files whose names begin with data (case insensitive) and are not more than 3 directories deep (including current directory).

find /Users/michaelhogg/Desktop/ -ls -newermt '22 Jun 2006' -size +1024c

Search from the directory /Users/michaelhogg/Desktop/, and print detailed information for all files which were modified after 22nd June 2006 and are at least 1024 bytes in size.

fs_usage – View manual page

Description

Displays filesystem activity in real-time. The output is formatted according to the size of your window – a narrow window will display fewer columns of data, so use a wide window for maximum data display.

Syntax

sudo fs_usage options processes

options Filtering and display options.
processes A space-separated list of process names or IDs.

Options

-w	Forces a wider, more detailed output, regardless of the window size. The data displayed will wrap when the window is not wide enough.
-f mode	Turns on output filtering based on the mode, which can be network (only network related output is displayed) or filesys (only file system related output is displayed).

Processes

The sampled data can be limited to a list of process names or IDs. (Use Activity Monitor to view a list of active processes). Processes are supplied to fs_usage as a space-separated list of quoted names (eg. "Safari" "Finder") or IDs (eg. 344 451).

Output format

The data columns displayed are as follows:

Timestamp
System call name
File descriptor F=x
Byte count B=x
Error number [x]
Pathname of file (the beginning may be truncated)
Fault address A=0xnnnnnnnn
Physical disk block number D=0xnnnnnnnn
File offset O=0xnnnnnnnn
select() system call ready descriptors count S=x
Elapsed time (a W indicates “wait” – the process was scheduled out during this file activity)
Process name

Example

sudo fs_usage -w -f filesys "Mail" "Dock" "Finder"

Display filesystem activity in wide format for processes called Mail, Dock and Finder.

ipfw – View manual page


	Description				IP firewall and traffic shaper control program. Very useful for preventing bandwidth-hungry applications from consuming all your network bandwidth (eg. uploading videos). This command is actually extremely powerful and complex, but here I’m only documenting its bandwidth-limiting functionality. For more info, check out these articles: 1, 2, 3, 4.



	Wikipedia				Article



	Syntax				There are two steps required to set up a “pipe” to limit an application’s bandwidth usage. First, create the pipe: sudo ipfw pipe id config bw bandwidth This creates a pipe with an ID number id of your choice (between 1 and 65535) and maximum bandwidth of bandwidth. Second, attach the pipe to your network: sudo ipfw add pipe id protocol from src to dst direction This attaches the pipe with ID number id to the specified network protocol, limiting the bandwidth of data travelling from src to dst in the specified direction (either in or out).



	Bandwidth				The bandwidth of a pipe is specified by supplying a number (eg: 30) followed by any of these units: bit/s Byte/s Kbit/s KByte/s Mbit/s MByte/s



	Protocol				Common IP network protocol include tcp, udp and icmp. To include all network protocols, use either all or ip.



	src & dst				The source and destination can be specified in the following ways: Any address, any port – any IP address, any port – 66.102.9.147 Hostname, any port – www.google.com Any address, specific port – any 80 IP address, specific port – 66.102.9.147 80 Hostname, specific port – www.google.com 80 As an alternative to port numbers, service names can be used instead. Common service names include ftp-data, ftp, ssh, smtp, http, pop3, imap, https and pop3s. Examples: Any address, HTTP port – any http IP address, HTTP port – 66.102.9.147 http Hostname, HTTP port – www.google.com http Note that if the source and destination imply a specific data direction, then there’s no need to specify the direction too: sudo ipfw add pipe 1 all from 192.168.0.2 to 66.102.9.147 In the example above, data is travelling outwards (from a local address to a remote address), so there’s no need to specify the out direction.



	Example				sudo ipfw pipe 1 config bw 30KByte/s Create a pipe with ID number 1 and maximum bandwidth of 30KByte/s. sudo ipfw add pipe 1 all from any to any 80 out Attach the pipe with ID number 1 to all network protocols, limiting the bandwidth of data travelling from any source (any port) to any destination (port 80) in the out direction.



	Disabling				There are four steps required to disable a pipe that’s been configured: Obtain the rule number for your connected pipe, using sudo ipfw list. The rule number will be a five-digit number, such as 00100. Delete the rule, using sudo ipfw delete num, where num is the rule number. If you’ve forgotten the ID number of the pipe you originally created, check it using sudo ipfw pipe list. Delete the pipe, using sudo ipfw pipe delete id, where id is the pipe’s ID number.

ls – View manual page

Description

Lists the contents of a directory. By default, it lists the contents in alphabetical order, in multiple columns.

Wikipedia

Article

Syntax

ls options

List the contents of the current directory, using the specified options.

ls options directory

List the contents of the specified directory, using the specified options.

Options

The following options control the layout of the listing. Only one of these options should be used.

-l	List in long format. The following information is displayed for each file: file mode, number of links, owner name, group name, number of bytes in the file, mtime, and the filename. (Note: this option is the lowercase letter “L”.)
-1	Force output to be one entry per line. (Note: this option is the digit “one”.)
-m	Stream output format – list files across the page, separated by commas.

The following options specify how the listing is sorted.

-S	Sort contents by size (largest first) instead of alphabetically.
-t	Sort contents by mtime (most recently modified first) instead of alphabetically.
-c	When used with -l, display ctime instead of mtime. When used with -t, sort contents by ctime (most recently changed first) instead of mtime.
-u	When used with -l, display atime instead of mtime. When used with -t, sort contents by atime (most recently accessed first) instead of mtime.
-r	Reverse the order of the sort.

Other options include:

-h	When used with -l, use the following suffixes for displaying file sizes: B (byte), K (kilobyte), M (megabyte), G (gigabyte), T (terabyte) and P (petabyte).
-T	When used with -l, display complete time information for the file, including month, day, hour, minute, second, and year.
-a	Include directory entries whose names begin with a dot (.).
-R	Recursively list subdirectories encountered.
-G	Enable colourised output.

Note that when specifying multiple options, a compressed format can be used for efficiency. For example:

Standard	ls -1 -t -c -r -G
Compressed	ls -1tcrG

Examples

ls -lShT

List the contents of the current directory, in long format, sorted by size (largest first), and displaying suffixes for file sizes and complete time information.

ls -1tcrG /Users/

List the contents of the directory /Users/, with one entry per line, sorted by ctime (oldest change first), and colourised output.

lsof – View manual page


	Description				List files which are currently open. Very useful for discovering which open files are preventing disk volumes from being unmounted.



	Wikipedia				Article



	Syntax				sudo lsof +c 0 -s List the open files on all mounted volumes. sudo lsof +c 0 -s volume List the open files on the specified volume.



	Volumes				A volume identifier is of the form /dev/disks. For example, /dev/disk1s3. You can obtain a list of identifiers for all currently mounted volumes by running the command diskutil list (see the diskutil entry for more info). A volume can also be referred to using its volume mount point, of the form "/Volumes/*". For example, "/Volumes/External HD".



	Output format				The data columns displayed are as follows: COMMAND – UNIX command name PID – Process IDentification number USER – User ID number or login name FD – File Descriptor number TYPE – Type of the node associated with the file DEVICE – Device numbers, separated by commas SIZE – Size in bytes NODE – Node number NAME – File name



	Example				You try to unmount (eject) the volume “External HD” in the Finder, but you get an error message saying ‘The disk “External HD” is in use and could not be ejected. Try quitting applications and try again.’ In the Terminal, run the following command: sudo lsof +c 0 -s "/Volumes/External HD" You notice the following item in the output (some columns omitted here): COMMAND SIZE NAME QuickTime\x20Player 220073984 /Volumes/External HD/Party.mov So the file Party.mov is in use by QuickTime\x20Player, and this is preventing the volume from being unmounted. Quit QuickTime Player, and try ejecting the volume again.

screencapture – View manual page

Description

Take a screenshot, and either save it to disk or copy it to the clipboard.

Syntax

screencapture options file

Take a screenshot, using the specified options, and save it to file.

screencapture -c options

Take a screenshot, using the specified options, and copy it to the clipboard.

Options

-C	Include the mouse cursor in the screenshot.
-tformat	Specify the image format for saving the screenshot. The default is png. Other valid formats include bmp, gif, jpg, pdf and tiff. This option is only applicable when saving the screenshot to a file (not copying it to the clipboard).

Examples

screencapture -C -tjpg /Users/michaelhogg/Desktop/screenshot.jpg

Take a screenshot, including the mouse cursor, and save it as a file called screenshot.jpg in the folder /Users/michaelhogg/Desktop/, in jpg (JPEG) format.

screencapture -c -C

Take a screenshot, including the mouse cursor, and copy it to the clipboard.

Notes

This command by itself isn’t particularly useful, since the Grab application in the Utilities folder performs all the same functions. However, this command can be very useful when called programmatically, eg. using AppleScript (view my example) or a shell script.

ssh – View manual page


	Description				Secure SHell – connect to another computer using an encrypted connection. Here I’m only documenting the tunneling functionality of this command. For more info on SSH tunneling, check out this article.



	Wikipedia				Article



	Syntax				ssh -L localport:remotehost:remoteport username@sshserver Create a secure connection to sshserver, logging in as username (you will be prompted to enter the password). Then create a tunnel through the secure connection, from localport within your computer, via sshserver, to remotehost:remoteport. You can choose any unused port for localport, but port numbers less than 1024 are privileged and require root permissions (eg. by appending sudo to the start of the ssh command).



	Example 1				You have a Wi-Fi-enabled laptop, and you want to check for new emails on your BT Internet email account, by connecting to mail.btinternet.com port 110. However, your local Wi-Fi network is not secure, so anyone nearby with a laptop and suitable software could eavesdrop on your emails while you’re downloading them. So you use SSH to create a secure tunnel between your computer and an SSH server on your local network (192.168.0.3), and then connect the remote end of the tunnel to the BT Internet email server: ssh -L 7777:mail.btinternet.com:110 michael@192.168.0.3 This creates a secure connection to 192.168.0.3, logging in as michael (enter the password when prompted). It then creates a tunnel through the secure connection, from port 7777 within your computer, via 192.168.0.3, to mail.btinternet.com port 110. You now reconfigure your email application, so that instead of connecting directly to mail.btinternet.com port 110, it connects to localhost port 7777. All data that travels between your email application and mail.btinternet.com will now travel inside the secure SSH tunnel. Anyone nearby who attempts to eavesdrop on your emails on the insecure Wi-Fi network will only see encrypted SSH traffic, which they can’t decode.



	Example 2				You have a Wi-Fi-enabled laptop, and you want to connect to an AFP file server at 192.168.0.3 port 548. However, your local Wi-Fi network is not secure, so anyone nearby with a laptop and suitable software could eavesdrop on the data that you’re reading and writing. However, the AFP file server is also running SSH, so you use SSH to create a secure tunnel between your computer and the server, and then connect the remote end of the tunnel to AFP within the server: ssh -L 7777:localhost:548 michael@192.168.0.3 This creates a secure connection to 192.168.0.3, logging in as michael (enter the password when prompted). It then creates a tunnel through the secure connection, from port 7777 within your computer, to port 548 within 192.168.0.3 (the remote localhost). Now, instead of connecting directly to afp://192.168.0.3:548 in the Finder’s “Connect to Server” prompt, you connect to afp://localhost:7777. All AFP data that travels between your computer and the file server will now travel inside the secure SSH tunnel. Anyone nearby who attempts to eavesdrop on your data on the insecure Wi-Fi network will only see encrypted SSH traffic, which they can’t decode. Note: there are two different uses of localhost here. In the ssh command, localhost is defined relative to the remote end of the SSH tunnel (inside 192.168.0.3), so in this case, localhost refers to 192.168.0.3. When using the Finder’s “Connect to Server” prompt, localhost refers to your own computer (the local end of the SSH tunnel). For more info on AFP over SSH, check out this article.

Comments

Automatic country lookup for comments powered by MaxMind GeoLite Country

Phil 25 Jan 2010 United Kingdom	Thanks very much, I have found the information here invaluable. Cheers Phil
Jeremy Fusco 26 Jan 2010 United States	ls and ctime. Hi, it doesn't appear OS X's HFS+ filesystem supports ctime? The below does the expect on linux + nfs and doesn't update the creation time. Also the ls manpage doesn't show -c as an option for ctime, and no mention of ctime is in the manpage.. Tue Jan 26 10:18:16 PST 2010 bash-3.2$ echo hi >> test bash-3.2$ ls -alc total 8 drwxr-xr-x 3 jfusco staff 102 Jan 26 10:11 . drwx------ 44 jfusco staff 1564 Jan 26 10:11 .. -rw-r--r-- 1 jfusco staff 20 Jan 26 10:18 test bash-3.2$ date Tue Jan 26 10:19:07 PST 2010 bash-3.2$ echo there >> test bash-3.2$ ls -alc total 8 drwxr-xr-x 3 jfusco staff 102 Jan 26 10:11 . drwx------ 44 jfusco staff 1564 Jan 26 10:11 .. -rw-r--r-- 1 jfusco staff 26 Jan 26 10:19 test
Michael Hogg 27 Jan 2010	Hi Jeremy, Confusingly, "ctime" doesn't mean "creation time". It actually means "inode change time", which is the last change time of the file's owner, permissions, etc. In Mac OS X, the real "creation time" is stored in the Spotlight metadata for a file, in the kMDItemFSCreationDate field. In the man page for "ls", the "-c" option is defined as "time when file status was last changed". This is "ctime" (although it doesn't explicitly mention "ctime"). Hope that helps!

Add a comment

Name	(optional)	Copy the security code above into the box below: The security code is a CAPTCHA to prevent automated software from posting large amounts of spam comments (I get about 22 spam comments for every 1 genuine comment).
Comment	No HTML or BBCode please

Contact me – Page last updated on 10th September 2009 – Website hosted by 5quidhost (highly recommended!)