SANS Digital Forensics and Incident Response Blog

A Quick Idiom for Pretty-Printing /proc Data

This is just a short note about a useful little idiom that a lot of people I run into seem to have never seen before. You're all aware that the /proc file system contains a great deal of information about processes that's useful in an incident response situation. However, when you start looking at this data it can sometimes be difficult to read:

$ cd /proc/self
$ cat environ
GNOME_KEYRING_SOCKET=/tmp/keyring-r8yNJT/socketLOGNAME=halGDMSESSION=default...

Yuck! All of the environment variables are jammed together in an unreadable mess.

The reason the output appears this way is that the various strings in the /proc structures use nulls (ASCII zero) instead of newlines as terminal characters (just like strings in C). You don't usually see the nulls because they're non-printable characters.

But with a little help from the "tr" command you can convert the nulls to newlines and make everything much more readable:

$ cat environ | tr \\000 \\n
GNOME_KEYRING_SOCKET=/tmp/keyring-r8yNJT/socket
LOGNAME=hal
GDMSESSION=default
[...]

Notice the use of double backslashes in the command above — the extra backwhack makes sure that the arguments to "tr" end up being \000 and \n after being interpolated by the shell (or you could use single quotes).

I hope you find this little trick useful. I find myself using it constantly.

Hal Pomeranz is an independent IT/Computer Security consultant and a SANS Faculty Fellow. He spends far too much of his life herding Unix/Linux systems.