Cli Tools¶
41 cards — 🟢 12 easy | 🟡 13 medium | 🔴 7 hard
🟢 Easy (12)¶
1. How do you search forward for a pattern while inside less?
Show answer
Type / followed by the pattern and press Enter. Use n for next match, N for previous match. Other useful keys: q to quit, g to go to top, G to go to bottom, -N to toggle line numbers. less is the default pager for man pages and git log — knowing these keys makes both faster to navigate.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
2. What does grep -n do?
Show answer
Prefixes each matching line with its line number in the file. Example: grep -n "error" app.log shows "42:connection error at startup". Combine with -i for case-insensitive: grep -ni "error" app.log. Line numbers are essential when you need to jump to a match in an editor or reference specific lines in a bug report.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
3. How do you search for multiple patterns with grep using extended regex?
Show answer
Use grep -E 'pattern1|pattern2' file. The -E flag enables extended regex supporting alternation (|), grouping, and quantifiers without escaping. Example: grep -E 'WARN|ERROR|FATAL' /var/log/syslog finds all severity levels in one pass. Equivalent to egrep (deprecated alias).Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
4. How do you find all files modified in the last 24 hours under /var/log?
Show answer
find /var/log -type f -mtime -1. The -mtime -1 means "modified less than 1 day ago." Other time flags: -mmin -60 (last 60 minutes), -newer ref_file (newer than a reference file). Tip: add -ls to see details, or pipe to xargs for batch operations on the results.Example: find /var/log -name '*.log' -mtime +30 -delete removes logs older than 30 days. Use -exec for custom actions per file.
5. What is the mental model for composing CLI tools with pipes?
Show answer
Each tool does one thing: select data, transform data, or format output. Pipes connect them so stdout of one becomes stdin of the next. Start simple, then add stages. Example pipeline: cat access.log | grep 'POST' | awk '{print $1}' | sort | uniq -c | sort -rn shows top IPs making POST requests, built one stage at a time.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
6. What are the two standard ways to get help for a command-line tool?
Show answer
manRemember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
7. What are the four types of gRPC service methods?
Show answer
Unary RPC: single request, single response (like a function call). Server streaming: client sends one request, server returns a stream. Client streaming: client sends a stream, server returns one response. Bidirectional streaming: both sides send streams concurrently. Unary is most common; streaming is used for real-time data feeds, file uploads, and chat-like interactions.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
8. What transport protocol does gRPC use and why?
Show answer
gRPC uses HTTP/2, which provides multiplexing (multiple concurrent RPCs on one TCP connection), header compression (HPACK), flow control, and server push. This makes gRPC much more efficient than HTTP/1.1-based REST for high-throughput service-to-service communication, especially when many small requests are made concurrently.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
9. How do you invoke a gRPC method using grpcurl?
Show answer
Use "grpcurl -plaintext -d '{"name": "world"}' localhost:50051 helloworld.Greeter/SayHello" for unary calls. The -plaintext flag disables TLS (for local dev). The -d flag passes the JSON request body. For streaming, pipe input with -d @. List all methods first with "grpcurl -plaintext localhost:50051 list" to discover the service and method names.Remember: curl flags: -s (silent), -o (output file), -H (header), -d (data/POST body), -X (method), -k (skip TLS verify). Mnemonic: 'Silently Output Headers with Data eXactly, sKip verify.'
10. What is the difference between capture filters and display filters in Wireshark?
Show answer
Capture filters (BPF syntax) are applied during packet capture and determine which packets are saved to the pcap file -- they reduce file size but cannot be changed after capture. Display filters (Wireshark syntax) are applied after capture to show/hide packets in the UI. Use capture filters for high-traffic interfaces; use display filters for analysis.Remember: nc (netcat) = 'network Swiss Army knife.' Test TCP: nc -zv host 80. Listen: nc -l 8080. Transfer files: nc -l 9999 > file on receiver, nc host 9999 < file on sender.
11. How do you capture packets with tcpdump and save them for Wireshark analysis?
Show answer
Use "tcpdump -i eth0 -w capture.pcap" to capture all traffic on eth0 to a pcap file. Add BPF filters to narrow scope: "tcpdump -i eth0 -w capture.pcap port 443" for HTTPS only. Use -s 0 to capture full packets (not truncated). Then open capture.pcap in Wireshark or analyze with "tshark -r capture.pcap".Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
12. What display filter shows only DNS query errors or HTTP 5xx server errors?
Show answer
For DNS errors: "dns.flags.rcode != 0" shows all non-success responses (NXDOMAIN, SERVFAIL, etc.). More specific: "dns.flags.rcode == 3" for NXDOMAIN only. For HTTP 5xx errors: "http.response.code >= 500" or "http.response.code == 503" for specific codes. Combine both: "(dns.flags.rcode != 0) || (http.response.code >= 500)" for a unified error view.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
🟡 Medium (13)¶
1. Why should you pair find -print0 with xargs -0?
Show answer
-print0 separates filenames with null bytes instead of newlines, and -0 tells xargs to expect null-delimited input. This safely handles filenames containing spaces, newlines, quotes, or special characters that would break normal line-based processing. Example: find . -name '*.log' -print0 | xargs -0 rm. Without this, a file named "my file.log" becomes two arguments.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
2. What is the difference between grep -r and grep -R?
Show answer
grep -r searches recursively and follows symbolic links. grep -R searches recursively but does not follow symlinks. Behavior varies by implementation — check your system's man page. Following symlinks can cause infinite loops if symlinks create cycles. For large codebases, prefer rg (ripgrep) which is faster and respects .gitignore.Remember: nc (netcat) = 'network Swiss Army knife.' Test TCP: nc -zv host 80. Listen: nc -l 8080. Transfer files: nc -l 9999 > file on receiver, nc host 9999 < file on sender.
3. What is the difference between find -exec cmd {} \; and find -exec cmd {} +?
Show answer
With \; the command runs once per match (slow for many files). With + the command batches as many matches as possible into one invocation (much faster). Example: find . -name '*.tmp' -exec rm {} + removes all matches in one rm call. Use \; only when the command cannot accept multiple arguments.Remember: nc (netcat) = 'network Swiss Army knife.' Test TCP: nc -zv host 80. Listen: nc -l 8080. Transfer files: nc -l 9999 > file on receiver, nc host 9999 < file on sender.
4. How do you show lines before and after a grep match for context?
Show answer
Use -B N for N lines before, -A N for N lines after, or -C N for N lines of context on both sides. Example: grep -C 3 'Exception' app.log shows 3 lines of context around each match. Context is critical for log analysis — an error message alone rarely tells the full story; the preceding lines often show the trigger.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
5. How do you pipe command output into less for interactive reading?
Show answer
Use command | less. Example: journalctl -u sshd | less pages through systemd journal output interactively. Inside less you can search (/pattern), jump to line (Ng), or filter shown lines (&pattern). For colored output, use less -R to pass through ANSI escape codes. Useful when a command produces more output than fits on screen.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
6. What is grpcurl and how does it use server reflection?
Show answer
grpcurl is a command-line tool for interacting with gRPC services, similar to curl for HTTP. With server reflection enabled, grpcurl can discover available services and methods without needing proto files: "grpcurl -plaintext localhost:50051 list" lists services, "grpcurl -plaintext localhost:50051 describeRemember: curl flags: -s (silent), -o (output file), -H (header), -d (data/POST body), -X (method), -k (skip TLS verify). Mnemonic: 'Silently Output Headers with Data eXactly, sKip verify.'
7. What is gRPC server reflection and when should it be enabled?
Show answer
Server reflection is a gRPC service that exposes the server's protobuf schema at runtime, allowing clients and debugging tools to discover services, methods, and message types without proto files. Enable it in development and staging for debugging with grpcurl/grpcui. Disable in production for security (it reveals your API surface to any client).Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
8. What is the gRPC Health Checking Protocol and how is it used?
Show answer
The gRPC Health Checking Protocol is a standardized service (grpc.health.v1.Health) that reports serving status per service name. It returns SERVING, NOT_SERVING, or UNKNOWN. Kubernetes uses grpc-health-probe or native gRPC health checks (since 1.24) to determine pod readiness/liveness. It replaces ad-hoc health endpoints with a protocol-level standard.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
9. What are the main gRPC load balancing strategies?
Show answer
Pick-first: connect to the first resolved address (no balancing). Round-robin: distribute RPCs evenly across all resolved addresses. Client-side with external resolver: use a service mesh or DNS-SRV for endpoint discovery. Proxy-based (L7): use Envoy/gRPC-aware proxy that understands HTTP/2 frames. Note: L4 load balancers (TCP) do not work well because HTTP/2 multiplexes on one connection.Remember: nc (netcat) = 'network Swiss Army knife.' Test TCP: nc -zv host 80. Listen: nc -l 8080. Transfer files: nc -l 9999 > file on receiver, nc host 9999 < file on sender.
10. What is tshark and how does it differ from tcpdump?
Show answer
tshark is Wireshark's command-line equivalent -- it captures packets and applies Wireshark's full protocol dissectors and display filters. Unlike tcpdump (which shows raw packet headers), tshark decodes application-layer protocols (HTTP/2, gRPC, TLS) with the same depth as the Wireshark GUI. Use "tshark -i eth0 -Y 'http.request'" for filtered captures.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
11. What are common Wireshark display filters for HTTP, DNS, and TLS traffic?
Show answer
HTTP: "http.request.method == GET", "http.response.code == 500", "http2" (for HTTP/2). DNS: "dns", "dns.qry.name contains example.com", "dns.flags.rcode != 0" (errors). TLS: "tls.handshake", "tls.handshake.type == 1" (Client Hello), "tls.record.version". Combine with && (and), || (or), and ! (not).Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
12. How do you follow a TCP stream in Wireshark and why is it useful?
Show answer
Right-click a packet and select "Follow > TCP Stream" (or use filter "tcp.stream eq N"). This reconstructs the entire conversation between two endpoints in order, showing application-layer data as a continuous dialog. It is essential for debugging HTTP request/response pairs, analyzing TLS handshakes, or understanding application protocol exchanges.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
13. How do you extract specific fields from a pcap using tshark?
Show answer
Use tshark's -T fields with -e to extract specific protocol fields: "tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e http.request.uri -Y http.request". The -E separator=, flag outputs CSV. This is powerful for scripting: extract all DNS queries, HTTP URLs, or TLS SNI values from a capture for automated analysis.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
🔴 Hard (7)¶
1. How can xargs run commands in parallel?
Show answer
Use xargs -P N where N is the number of parallel processes. Example: find . -name '*.gz' -print0 | xargs -0 -P 4 gunzip runs up to 4 gunzip processes concurrently. Combine with -n 1 to pass one argument per process. Gotcha: interleaved output — redirect each process to its own file if output order matters. GNU parallel is a more capable alternative for complex parallel workflows.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
2. How do gRPC status codes differ from HTTP status codes?
Show answer
gRPC has its own status code system (16 codes) separate from HTTP. Key mappings: OK=0, InvalidArgument=3 (not HTTP 400), NotFound=5 (not HTTP 404), PermissionDenied=7 (not HTTP 403), Unavailable=14 (closest to HTTP 503). When gRPC travels through HTTP proxies or gateways, these codes may be translated, causing confusion if you only check HTTP status.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
3. What is deadline propagation in gRPC and why is it important for microservices?
Show answer
A gRPC deadline sets an absolute time by which the entire RPC chain must complete. When service A calls B which calls C, the deadline propagates through the chain. If the deadline is exceeded at any point, the RPC is cancelled with DEADLINE_EXCEEDED. This prevents cascading timeouts where downstream services continue working on requests the caller has already abandoned.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
4. Why does gRPC use Protocol Buffers instead of JSON?
Show answer
Protocol Buffers are a binary serialization format that is 3-10x smaller and 20-100x faster to parse than JSON. They use a strongly-typed schema (.proto files) that enables code generation, backward/forward compatibility via field numbers, and compile-time type checking. The tradeoff is human readability -- binary payloads cannot be inspected without tooling.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
5. How do you identify TCP retransmissions in Wireshark and what do they indicate?
Show answer
Use the display filter "tcp.analysis.retransmission" to show retransmitted packets. Retransmissions indicate packet loss, network congestion, or receiver-side delays. Wireshark's TCP analysis also flags "tcp.analysis.duplicate_ack" (3 duplicate ACKs trigger fast retransmit) and "tcp.analysis.fast_retransmission". High retransmission rates (>1%) signal network issues requiring investigation.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
6. What is BPF syntax and what are common capture filter expressions?
Show answer
BPF (Berkeley Packet Filter) is the syntax for capture filters in tcpdump, tshark, and Wireshark. Common expressions: "host 10.0.0.1" (specific host), "port 80" (specific port), "tcp" (protocol), "src net 192.168.0.0/16" (source network), "port 53 and udp" (DNS). Combine with "and", "or", "not". BPF is compiled to bytecode and runs in the kernel for high-speed filtering.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.
7. How can you decrypt TLS traffic in Wireshark?
Show answer
Two methods: (1) Pre-master secret log: set the SSLKEYLOGFILE environment variable in the client (browsers, curl), then load the log in Wireshark under Preferences > Protocols > TLS > Pre-Master Secret log filename. (2) RSA private key: only works with non-ephemeral key exchange (RSA, not ECDHE). Method 1 is preferred as modern TLS uses ephemeral keys.Remember: invest time learning your CLI tools. A 10-minute task done manually can become a 10-second command once you know the right tool and flags.