The w command in Linux: see connected users and their activity

Posted on by BlockmyIP | Category: Linux terminal commands

Introduction

In Linux system administration, knowing who is logged in and what they are doing at any moment is essential for detecting performance problems, security audits, or simply to help a user.

What is the w command?

The w command is a standard utility that displays a summary of users currently logged into the system, along with the average load and the time each has been idle. It combines information from who, uptime, and ps into a single view.

Basic syntax and most used options

The simplest form is to run w without arguments. However, it provides several options that allow filtering or changing the output format.

  • -h: omits the header line.
  • -s: uses the short format, without login time, JCPU, and PCPU.
  • -f: toggles display of the FROM field (the hostname or IP from where the user connected).
  • -u: ignores the username when calculating load and times.
  • username: shows only the information for a specific user.

Understanding w output

The typical output includes several columns:

  • USER: name of the user who started the session.
  • TTY: associated terminal or pseudo-terminal.
  • FROM: host or IP from which the connection originated (can be hidden with -f).
  • LOGIN@: time the user logged in.
  • IDLE: time that has remained idle.
  • JCPU: CPU time used by all processes attached to that terminal.
  • PCPU: CPU time used by the process currently in the foreground.
  • WHAT: command or application the user is currently executing.

Furthermore, the first line of the output shows the current time, how long the system has been running, the number of logged-in users, and the average load for 1, 5, and 15 minutes.

Practical examples

  • View all users with short format: w -s
  • Hide the header to process output with scripts: w -h
  • Show only activity for user ‘juan’: w juan
  • Disable the FROM column to save width: w -f
  • Combine options: w -hs juan (header hidden, short format, only juan)

Tips and tricks for administrators

Although w provides an immediate view, combining it with other tools improves monitoring:

  • Use watch -n 5 w to refresh the screen every five seconds and detect changes in real time.
  • In audit scripts, extract the WHAT field with awk '{print $11}' (adjusting depending on the presence of FROM).
  • If you need to keep a history, redirect the output to a file with a timestamp: date +"%Y-%m-%d %H:%M:%S" >> wlog.txt && w >> wlog.txt
  • On servers with many users, combine w with grep to quickly locate a suspicious user.

Conclusion

The w command is a lightweight but powerful tool that any Linux administrator should have at hand. It provides, at a glance, essential information about who is logged in, what they are doing, and how it affects system performance. Mastering its options and knowing how to combine it with watch, awk, or redirections will allow you to perform monitoring and diagnostic tasks more efficiently.

This post is also available in ESPAÑOL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .