When the disk is filling up and you need to know what’s eating it, ncdu is the fastest tool to point at the problem directory. It’s an ncurses disk usage analyzer: it scans a tree once, caches the results in memory, and then lets you browse every subdirectory sorted by size. No flags to remember, no GUI required, and it works equally well over an SSH session to a remote server.
This guide installs ncdu on Rocky Linux 10 and Ubuntu 24.04, then walks through the scan, navigation, export-import workflow, and a few flags that make it useful for automated disk audits over SSH.
Tested April 2026 on Rocky Linux 10.1 with ncdu 1.22 from EPEL 10
Step 1: Install ncdu
On Rocky Linux 10, AlmaLinux 10, and RHEL 10, ncdu lives in EPEL. Enable the CRB repo first (EPEL packages sometimes depend on CRB) and install:
sudo /usr/bin/crb enable
sudo dnf install -y epel-release
sudo dnf install -y ncduDebian 13 and Ubuntu 24.04 ship it in main, so a single apt call is enough:
sudo apt update
sudo apt install -y ncduConfirm the install and version:
ncdu --versionOn a current Rocky 10 minimal image this reports:
ncdu 1.22ncdu 1.2x has the rewritten scanner that’s several times faster than the 1.x series that still ships on some older RHEL derivatives. If you get something below 1.10, upgrade before relying on it for large filesystem scans.
Step 2: Interactive scan of a directory
Run ncdu against the directory you want to analyze. The most common target is the whole root filesystem, but because descending into /proc, /sys, /dev, and mounted filesystems wastes time, use -x to stay on a single filesystem and --exclude-kernfs to skip pseudo filesystems:
sudo ncdu -x --exclude-kernfs /The scanner runs for a few seconds to a few minutes depending on the filesystem size, then drops you into the interactive browser. The top line shows the absolute path, and the column below lists subdirectories sorted biggest-first with their usage as a percentage of the parent and a bar graph.
Step 3: Key bindings you’ll actually use
ncdu is entirely keyboard-driven. Five bindings cover 95% of real usage:
- arrow keys / j k: move up and down the list
- Enter / right arrow / l: descend into a directory
- left arrow / h: go back up
- d: delete the selected file or directory (with confirm)
- g: toggle between bytes, graph, and percentage
- q: quit
Two more worth knowing: press ? anytime for the full help screen, and n/s/C toggle sort order by name, size, and item count. Pressing i on a highlighted item opens a details pane with owner, permissions, and mtime.
Step 4: Non-interactive scans for scripting
ncdu can export a full scan to a JSON file using -o. This is perfect for automation: run the scan on a server, copy the JSON to your laptop, and open it there for analysis without touching the remote box again. The -q flag tells ncdu to run in quiet (non-interactive) mode:
ncdu -q -o /tmp/ncdu.json /usrThe output file is plain text JSON so you can inspect it with head:
ls -la /tmp/ncdu.json
head -c 200 /tmp/ncdu.jsonOn a stock Rocky 10 VM scanning /usr, the JSON file comes in at around 2.3 MB and starts like this:
-rw-r--r--. 1 rocky rocky 2291160 Apr 12 03:04 /tmp/ncdu.json
[1,2,{"progname":"ncdu","progver":"1.22","timestamp":1775952272},
[{"name":"/usr","asize":144,"dev":64516},
[{"name":"bin","asize":24576,"dsize":40960},
{"nameOpen the exported scan in another ncdu session with -f:
ncdu -f /tmp/ncdu.jsonNavigation is identical to a fresh scan, but nothing touches the disk because ncdu reads from the JSON cache. This is also the way to audit a remote server without keeping an SSH session open for the duration of a slow scan: run ncdu -q -o scan.json / on the server, scp the file down, and browse it at your leisure.
Step 5: Scanning excluded paths
Skip noisy directories with --exclude. Multiple exclusions can be chained, and -X exclude.txt reads a list from a file:
sudo ncdu -x --exclude-kernfs \
--exclude /var/cache \
--exclude /var/lib/docker \
--exclude /home/*/.cache \
/This is particularly useful when you already know Docker overlay layers or cache directories are the big consumers and you want a view of the “real” user data underneath.
Step 6: Deleting from inside ncdu
When you find a 10 GB log file you no longer need, press d on it. ncdu asks for confirmation and then actually removes the file. The totals update immediately so you can see the reclaimed space reflected in the parent directories. This is the feature that turns ncdu from a passive analyzer into a cleanup tool.
For safety when you’re working on production, run with -r (read-only) so accidental key presses can’t delete anything:
sudo ncdu -r /varRelated tools
ncdu is the right tool when you want an interactive view of disk usage. For non-interactive one-liners (e.g., “top 10 directories by size”), the classic du -sh */ | sort -rh | head still works. For filesystem-level capacity and block usage on BtrFS, use btrfs filesystem usage; for LVM thin pools, lvs. And if you just want to check that /tmp isn’t consuming disk because it’s not on its own filesystem, see our mount /tmp as tmpfs or separate partition guide.
For a broader post-install toolkit on Rocky 10, see our post-install tips guide. For interactive process monitoring see our sshfs tutorial for mounting remote filesystems you can then scan locally. And if you’re analyzing a filesystem on a disk image that isn’t mounted, the qemu-img conversion guide shows how to flip the image into a format guestmount can open. For hardware-level checks to pair with disk analysis, the dmidecode reference covers the other half of the audit.
