istat

To use istat, you must first invoke debugfs on the target filesystem device.

debugfs <filesystem_device>
debugfs: istat <inode_number>

<inode_number>
    The numerical identifier of the inode whose detailed information is to be displayed. This number can often be obtained using commands like ls -i or ncheck within debugfs.

istat is an interactive command within the debugfs utility, which is part of the e2fsprogs suite. It is designed to examine and modify the state of Ext2, Ext3, and Ext4 filesystems. The primary function of the istat command is to display comprehensive, low-level details about a specific inode. This includes crucial metadata such as the inode number, file mode (type and permissions), user and group IDs, file size, link count, block count, creation time (ctime), access time (atime), modification time (mtime), deletion time (dtime), and direct/indirect block pointers. It is an indispensable tool for filesystem debugging, data recovery, and forensic analysis, offering insights into the on-disk structure of files and directories that are not typically accessible through standard utilities like ls -i or stat.

istat requires root privileges to run debugfs on a device.
It is highly recommended to use debugfs, and consequently istat, on an unmounted filesystem or one mounted read-only to prevent filesystem corruption.
The command is specifically designed for Ext2, Ext3, and Ext4 filesystems.
istat is an interactive command executed within the debugfs prompt, not a standalone shell command.

istat provides a direct dump of the inode's on-disk structure, including the crucial block pointers that map logical file blocks to physical disk blocks. This is invaluable for tracing where file data resides, particularly in cases of fragmented files or direct block access for recovery.

By exposing raw inode metadata, istat is an essential tool for advanced filesystem debugging, forensic analysis, and data recovery efforts. It helps in understanding the root cause of filesystem corruption, identifying orphaned inodes, or recovering data from damaged files.

debugfs, and by extension its istat command, is a foundational component of the e2fsprogs package, a suite of utilities for the Ext2/3/4 filesystems. Developed primarily by Theodore Ts'o, e2fsprogs has been central to Linux filesystem management since the early 1990s. istat has been a core interactive command within debugfs from its inception, providing fundamental capabilities for low-level inode inspection. Its design and purpose have remained remarkably consistent over the years, serving as a critical diagnostic and recovery tool for filesystem developers and administrators.

debugfs(8), ls(1), stat(1), dumpe2fs(8), e2fsck(8), xfs_istat(8)