Your /home for Linux-related Fun and Learning!

Linux Crash Course: How To Use “who” And “w” Commands

Learn the difference between the Linux who and w commands in this step-by-step tutorial. Both commands are used to check who is logged into a Linux system, but they display information in different ways. In this video, you’ll see clear examples of how to use the who command to view logged-in users, and how the w command gives you more detailed information about user sessions and activity.

This Linux command line guide is perfect for beginners who want to understand system monitoring basics and for anyone looking to strengthen their Linux skills. Whether you’re working with servers, desktops, or just learning the Linux terminal, you’ll walk away knowing how to use who and w effectively.

YouTube player

LCC – The ‘who’ and ‘w’ Commands

Intro

Hello and welcome back to Learn Linux TV!

Mention:

  • The who and w commands are used to find out who is logged in to a Linux server or workstation
  • Both commands do the same thing, but each format output differently and have different options
  • Very useful if you want to see who is logged into a server before performing maintenance
  • Also one of the first commands you should run if you think someone might have breached your systems
  • We’ll explore both commands, and also go over which to use in a given situation

Topic

Note: Open tmux with split, and show both who and w output and mention the output is different

As I mentioned during the intro, both the who and w commands are used to find out who’s logged in to your system. While both commands have the same goal, each will show information a bit differently. To show you the difference, I’ll log into a Debian server and see who’s logged in.

I’ll also open tmux, which allows me to split my terminal window. If you have no idea what tmux is, I highly recommend you check it out. It allows you to easily manage terminal sessions, create window layouts, and it also gives you the ability to manage sessions. If you want to learn it, I’ll leave a card right about here for my complete series that teaches you everything you’ll need to know.

Anyway, this article is about the who and w commands and not tmux, so let’s get into it.

What I’ll do is show you the output of who on the left, and then I’ll use the w command on the right. This way you’ll see the difference immediately.

(Do that)

Anyway, as you can see, I have a number of characters logged into my server, and the output of both commands shows me who’s accessing my server. Since the output of both is a bit different, I’ll cover each in their own sections – starting with the who command.

Basic examples of the who command

In this section, what I’m going to do is go over the who command, and I’ll explain the output so that way you’ll understand exactly what’s happening.

who

As you can see, we see a list of users that are logged in. Some of the output is fairly obvious. For example, we see the username of each user, as well as the IP address that they’re logged in from. And already, this gives us some value. If we need to investigate who’s accessing our server for any reason, we have a list right here. The first thing to consider is whether or not you have any users accessing your server that shouldn’t be. In my case, all of these users are expected.

Also, we should inspect the IP address field as well, which is even more important. While looking at the output, it’s important to determine if each of the IP addresses are appropriate for access. For example, if we see an IP address here that’s not coming from an expected network, that’s a red flag. In my case though, each one of these IP’s are from a legitimate network address.

Before I move on and explain the rest of the output, there’s some important things to keep in mind. If you’re ever under the impression that a system breach may have happened, having valid users and IP addresses doesn’t necessarily mean that nothing suspicious is going on. For example, if a legitimate user or system is ever compromised, then the list will look legitimate even if it’s not. Still, using the who command is quick and simple, so it’s a good place to start in order to see some useful information.

Anyway, let’s continue and look at the remainder of the output. We already know what the first column is, it’s a list of users. In the next column, we have sshd on every line. This means that each of these users accessed the server remotely via ssh. Of course, that’s not the only way a user can access a system. For example, if the user was physically present with a keyboard and mouse in front of a server, that’s going to show as a tty login. If it’s a workstation, you might see gdm here – that’s the service that handles login from a GNOME-based workstation. There’s other things that can show up in this field too, and I’ll leave a table on the screen right now that will show you some of the things that might appear here. The takeaway with the second column is that it shows where the login came from.

Continuing, the third column shows us the psuedo-terminal. Basically, whenever a user opens a session it’s going to be given a psuedo-terminal number to help identify it. This number starts at 0, and then each user will get their own and it will increment each time. Another useful thing to know is that opening terminal windows on a desktop system creates psuedo terminals too, in fact each terminal window will get its own.

Next, let’s take a look at the third column. It’s probably self-explanatory, but here we see the date and time that each session started. So we can see that sheldon logged in at 11:44, raj logged in at 11:49, and so on.

Finally, the last column shows the IP address that the connection is coming from, which I went over earlier.

Options

Before we move on to the w command, let’s go over some common options with the who command.

And the first of those is an option that can help you with an identity crisis.

who am i

As you can see, it shows me information about myself. Perhaps this example isn’t the most useful, especially considering that you’ll typically see your username in the bash prompt, so it’ll show you your current session.

Another weird variation is you can use the who command to find out who mom likes. Seriously:

who mom likes

And sure, it’s another not-so-useful example, but I bet most of you didn’t know that option existed.

Anyway, let’s see some options for the who command that are actually useful. And we’ll start with the -b option:

who -b

With this command, we’re able to see the date and time of the last system boot. So if you wanted to find out when a server or workstation started, that’s how you do it.

Alternatively, you can always use the uptime command for similar information:

uptime

And that just goes to show you that when it comes to Linux, there’s almost always more than one way to do just about anything.

Anyway, the next option I’ll show you is -H, which will add a neat header line to the output:

who -H

Continuing, the -q option will show us only the user list, along with a count of how many users are logged in:

who -q

And this might be the most useful in scripts, when you want to simplify the output before chaining it into another command. For example, if you want to create a script that performs a function against each logged in user, you can use the output of who -q and then iterate over it with a for loop. Although writing scripts is beyond the scope of this article, I put together a quick script that will show the home directory for each user on the list:

./script.sh

And if you’re curious, here’s the code:

vim script.sh

I’m not going to go over this script line by line, because I have an entire course here on YouTube that covers Bash scripting if you want to learn that. In fact, I’ll leave a card for the first episode right about here. The main point with me showing you this is that whenever you have an option with a command to show less output, it often makes it easier to use the output in a script.

Basic examples of the w command

Now, let’s see the w command in action.

w

As you can see, we get a lot of the same information, but there’s additional columns we didn’t see with the who command. Of particular note is the “WHAT” column, which shows us what each user is doing.

In this case, we see sheldon running the htop command, while bernadette is using top because she’s old-school like that. Leonard on the other hand, seems to be up to no good – he’s writing some notes about how he plans on pranking sheldon.

Of course, I set up each of these users with a particular task to make this example more interesting, but nothing of any importance is actually going on here. In the real world, the WHAT column can be incredibly useful, because it’s important to not only know who’s logged in to a system, but as an administrator you’ll need to be able to see what people are up to. And that’s perhaps the biggest difference between who and w. They both show you who’s accessing your system, but the w command goes a step further and also shows you what everyone is up to.

Other than that, most of the columns shown with the w command display similar information as the who command, so at this point we already know what several of these columns represent. I’ll skip going over the USER, TTY and FROM fields, since we covered that with the who command. It’s the same information. What I’ll do now is explain the output that wasn’t shown with who.

On the first line, we get see some helpful information regarding the system itself. We see that the server started up at 12:33, and it’s been up for XX minutes. We also see that there’s 7 users logged in, and the load average is also shown. I’ve covered load average in other videos, but the basic idea is that it shows three numbers, with each representing how busy this system has been over the last 1, 5, and 15 minutes. In this case, this server is showing zeroes which means it’s not really all that busy. And that makes sense, it’s just a Proxmox VM I set up for this tutorial. If your server does actual work, you’d see different numbers here. These numbers represent CPU load, and to tell whether or not the numbers are a problem, the simplest explanation is to total the number of CPU cores your system has. For example, if you have a server with four cores, then a load average of 4 in any of those time periods respresents 100% capacity. On the other hand, if you have an 8 core CPU with a load average of 4, then your system is 50% utilized. And again, each number represents your systems load over the past 1, 5, and 15 minutes respectively. If you want to learn more about load average, I have other videos that cover it – so let’s move on.

After the header line, we see the USER, TTY, and FROM fields that show us information that we saw earlier with the who command. The fourth column shows us when each session started, which is similar to the information displayed with the who command but it’s formatted a bit differently.

The fifth column is specific to the w command, and can be quite useful. It shows us how long a session has been idle for. This pertains to how much time has passed since the user was last active. Active in this case refers to keyboard input, it’s the amount of time that’s passed since the user last pressed a key on their keyboard.

For example, what I’ll do is go to one of the sessions and I’ll press a random key on the keyboard. Now, when we view the content again, we can see that the idle time for user XXX was reset. And that’s because I walked over to the computer the session came from, and actually pressed a key on the keyboard.

Anyway, the idle time can be useful when you go to perform maintenance on a server. Perhaps you’ll send a message to everyone that’s logged in to inform them to log out by a specific time. If you have a user that doesn’t respond, and their session is active, you may need to kill it. After all, you did warn them. If a user is still active at the time of maintenance, then you can simply call them and tell them to log out.

Next, let’s take a look at PCPU. I’ll cover JCPU in a moment, but I think PCPU is easier to explain so let’s tackle that. And it’s quite simple really – the PCPU field pertains to how much CPU time was spent performing the task in the WHAT column. Keep in mind that this doesn’t pertain to how much time the process has been running, but instead the amount of time the CPU has spent computing whatever it is that they’re doing. In this case, it’s just a few seconds each – not much CPU time is spent while editing files and things like that.

Now we’ll take a look at the JCPU column. LIke PCPU, it shows us how much CPU time is being used, but the difference is that JCPU is showing us how much CPU time has been spent by any process attached to that user. This includes what is shown in the WHAT column, plus any other tasks that they may have that are attached to the terminal.

And that about does it when it comes to reading the output of the w command. Let’s take a look at some of the common options you might use, starting with -h.

w -h

In this case, you’ll notice the header is gone – which is exactly what the -h option does, it removes the header. We can also use the -s option for short output, which removes both CPU time columns:

w -s

Perhaps more useful is the -p option, which will show you the process ID within the WHAT column:

w -p

If you need to kill a session, that can be quite useful. For example, if you’ve notified your users about maintenance and some people are still logged in, you can use the kill command against one of the process ID’s to kill whatever the user is running.

If you check the man page for the w command, there’s more options you can throw at it – but for the most part, those are the ones you’ll use the most often.

When to use each

Before I close out the article, I wanted to go over when you should use each between the w and who commands. For the most part, they show the same information but as you saw – there are differences.

One of the primary considerations regarding which to use is whether or not you need to see what the users are up to. With the who command, we saw who was logged in to the system but it didn’t have a column to show us what they’re doing. On the other hand, the w command includes a “WHAT” column, which tells us exactly what each user is running within their session.

On the other hand, the who command can be more useful in scripts, since you can shorten the information down to just a user list. That makes it easy to write a script to run a command against each session. Now, the w command also has a few options to shorten output as well, but the who command facilitates scripts a bit better.

But when it all comes down to it, it’s probably a good idea to learn both. The who and w commands are super simple, so there’s not much to learn. If nothing else, you should keep notes for all of the common Linux commands, you’ll never know when you might need them. And the who and w commands are essential, because as a system administrator – understanding what’s happening inside your servers is very important.

Outro

Here

New Book Coming Soon!

Linux is one of the best decisions you can make for your computer — but knowing where to start is the hard part. This guide walks you through everything: choosing a distribution, installing it, and using it confidently every day. It’ll be released very soon!

Join the Announcement List
Get Some Awesome Stuff!
Members-only Perks

Becoming a member gives you access to exclusive perks:

  • Ad-free Content
  • Early access to select videos
  • Discord access

And more!

Join on YouTube
Become a Patron
Join on Fourthwall