Linux Under the Hood: A System Investigator’s Deep Dive
Most people learn Linux through commands. I tried something different, I explored Linux like a system investigator, using the file system as a map to understand how everything actually works.
What I found is that Linux is not a black box at all. It’s a system where everything is exposed, inspectable, and logically structured.
Here are my most meaningful discoveries.
1. /etc The Control Plane of the Entire System
The /etc directory isn’t just configuration — it’s the behavior layer of Linux.
Key discoveries:
/etc/hosts→ local DNS overrides/etc/resolv.conf→ DNS resolver configuration/etc/nsswitch.conf→ defines how name resolution works (files vs DNS vs others)
Why it exists
Linux separates:
Program logic → binaries
System behavior →
/etc
Insight
I realized DNS resolution isn’t fixed Linux lets you control how resolution happens, not just which server is used. That level of flexibility is rarely visible in other systems.
2. DNS Resolution Chain Not Just One File
At first, I thought /etc/resolv.conf was everything. It’s not.
The actual flow:
Check
/etc/hostsFollow rules in
/etc/nsswitch.confQuery DNS via
/etc/resolv.conf
Why it matters
This layered system allows:
Local overrides
Fallback mechanisms
Custom resolution strategies
Insight
DNS in Linux is a pipeline, not a single step which explains why debugging DNS issues can sometimes feel confusing.
3. /proc A Live API to the Kernel
/proc looks like a directory, but it behaves like a real-time API exposed as files.
What I explored
/proc/cpuinfo→ CPU details/proc/meminfo→ memory usage/proc/net/tcp→ active TCP connections/proc/[pid]/fd/→ open file descriptors
Why it exists
Instead of system calls for everything, Linux exposes state through files.
Insight
You can literally inspect a running process’ open files, memory, and network connections without special tools. This is debugging power at a very low level.
4. Routing Tables How Linux Decides Where Packets Go
One of the most interesting discoveries was how routing actually works.
The routing table can be viewed through system interfaces (like /proc/net/route).
What it represents
It defines:
Destination networks
Gateways
Interfaces
Why it exists
When you send data, Linux must decide: Where should this packet go next?
Insight
Networking is not “send and forget” it’s a decision-making system. Each outgoing packet is matched against routing rules.
5. /proc/net Network Internals Exposed
Inside /proc/net, I found raw networking data:
tcp→ active TCP socketsudp→ UDP socketsarp→ IP-to-MAC mappings
Why it exists
It gives direct visibility into:
Active connections
Listening ports
Network state
Insight
Tools like netstat or ss are just readable layers over these files. Linux doesn’t hide networking it exposes it in raw form.
6. /dev Hardware Through Abstraction
In Linux, devices are just files.
Examples:
/dev/sda→ disk/dev/null→ discards data/dev/random→ randomness source
Why it exists
It allows:
Uniform interaction with hardware
Simpler system design
Insight
Writing to a disk and writing to a file follow the same concept. Linux reduces complexity by using one abstraction everywhere.
7. Process Internals /proc/[pid]
Each running process has its own directory.
Inside:
cmdline→ how process startedstatus→ memory + statefd/→ open files
Why it exists
To allow introspection of running processes.
Insight
Processes are not hidden you can inspect:
What files they opened
What resources they use
How they behave
This is incredibly powerful for debugging and security analysis.
8. System Logs /var/log as a Story Archive
Linux logs are detailed and structured.
Important files:
syslog→ system-wide eventsauth.log→ login attemptskern.log→ kernel-level events
Why it exists
To provide traceability.
Insight
Logs are not just for errors they are a timeline of system behavior. You can reconstruct what happened in the system just by reading logs.
9. Permissions Simple Model, Strong Security
Linux uses:
Owner
Group
Permissions (rwx)
Why it exists
To enforce access control consistently.
Insight
Instead of complex rule engines, Linux relies on a minimal but universal permission system. This simplicity is what makes it reliable.
10. System Services systemd as a Process Orchestrator
Modern Linux uses systemd to manage services.
What I found
Service files define behavior
Dependencies between services
Startup order
Why it exists
To manage:
Background processes
Boot sequence
Insight
Linux is always running multiple coordinated processes. systemd acts like a conductor managing an orchestra of services.
11. Boot Process /boot is Where It All Begins
The /boot directory contains:
Kernel images
Bootloader configs
Why it exists
To define how the OS loads into memory.
Insight
The system startup is not hidden it’s fully configurable. You can literally control how your OS boots.
Final Realization
After exploring all these components, one pattern became clear:
Linux is built on transparency and consistency
Everything is a file
Everything is inspectable
Everything follows logical structure
What Makes Linux Powerful
It exposes internal state instead of hiding it
It allows deep control without forcing complexity
It treats system components uniformly
My Biggest Takeaway
Linux doesn’t try to simplify reality — it gives you direct access to it.
That’s why it feels hard at first. But once you understand the structure, it becomes one of the most predictable systems you can work with.
If you’re learning Linux, don’t stop at commands.
Explore /proc, /etc, and /var/log Read system files Break things and observe
That’s where real understanding begins.