When the disk is filling up and you need to know what’s eating it,ncduis the fastest tool to point at the problem directory. It’s an ncurses disk usage analyzer: it scans a tree once, caches the results in memory, and then lets you browse every subdirectory sorted by size. No flags to remember, no GUI required, and it works equally well over an SSH session to a remote server.This guide installsncduon Rocky Linux 10 and Ubuntu 24.04, then walks through the scan, navigation, export-import workflow, and a few flags that make it useful for automated disk audits over SSH.TestedApril 2026on Rocky Linux 10.1 with ncdu 1.22 from EPEL 10Step 1: Install ncduOn Rocky Linux 10, AlmaLinux 10, and RHEL 10,ncdulives in EPEL. Enable the CRB repo first (EPEL packages sometimes depend on CRB) and install:sudo /usr/bin/crb enable sudo dnf install -y epel-release sudo dnf install -y ncduCopyDebian 13 and Ubuntu 24.04 ship it inmain, so a single apt call is enough:sudo apt update sudo apt install -y ncduCopyConfirm the install and version:ncdu --versionCopyOn a current Rocky 10 minimal image this reports:ncdu 1.22Copyncdu 1.2x has the rewritten scanner that’s several times faster than the 1.x series that still ships on some older RHEL derivatives. If you get something below 1.10, upgrade before relying on it for large filesystem scans.Step 2: Interactive scan of a directoryRunncduagainst the directory you want to analyze. The most common target is the whole root filesystem, but because descending into/proc,/sys,/dev, and mounted filesystems wastes time, use-xto stay on a single filesystem and--exclude-kernfsto skip pseudo filesystems:sudo ncdu -x --exclude-kernfs /CopyThe scanner runs for a few seconds to a few minutes depending on the filesystem size, then drops you into the interactive browser. The top line shows the absolute path, and the column below lists subdirectories sorted biggest-first with their usage as a percentage of the parent and a bar graph.Step 3: Key bindings you’ll actually usencdu is entirely keyboard-driven. Five bindings cover 95% of real usage:arrow keys / j k: move up and down the listEnter / right arrow / l: descend into a directoryleft arrow / h: go back upd: delete the selected file or directory (with confirm)g: toggle between bytes, graph, and percentageq: quitTwo more worth knowing: press?anytime for the full help screen, andn/s/Ctoggle sort order by name, size, and item count. Pressingion a highlighted item opens a details pane with owner, permissions, and mtime.Step 4: Non-interactive scans for scriptingncdu can export a full scan to a JSON file using-o. This is perfect for automation: run the scan on a server, copy the JSON to your laptop, and open it there for analysis without touching the remote box again. The-qflag tells ncdu to run in quiet (non-interactive) mode:ncdu -q -o /tmp/ncdu.json /usrCopyThe output file is plain text JSON so you can inspect it withhead:ls -la /tmp/ncdu.json head -c 200 /tmp/ncdu.jsonCopyOn a stock Rocky 10 VM scanning/usr, the JSON file comes in at around 2.3 MB and starts like this:-rw-r--r--. 1 rocky rocky 2291160 Apr 12 03:04 /tmp/ncdu.json [1,2,{progname:ncdu,progver:1.22,timestamp:1775952272}, [{name:/usr,asize:144,dev:64516}, [{name:bin,asize:24576,dsize:40960}, {nameCopyOpen the exported scan in another ncdu session with-f:ncdu -f /tmp/ncdu.jsonCopyNavigation is identical to a fresh scan, but nothing touches the disk because ncdu reads from the JSON cache. This is also the way to audit a remote server without keeping an SSH session open for the duration of a slow scan: runncdu -q -o scan.json /on the server,scpthe file down, and browse it at your leisure.Step 5: Scanning excluded pathsSkip noisy directories with--exclude. Multiple exclusions can be chained, and-X exclude.txtreads a list from a file:sudo ncdu -x --exclude-kernfs \ --exclude /var/cache \ --exclude /var/lib/docker \ --exclude /home/*/.cache \ /CopyThis is particularly useful when you already know Docker overlay layers or cache directories are the big consumers and you want a view of the “real” user data underneath.Step 6: Deleting from inside ncduWhen you find a 10 GB log file you no longer need, pressdon it. ncdu asks for confirmation and then actually removes the file. The totals update immediately so you can see the reclaimed space reflected in the parent directories. This is the feature that turns ncdu from a passive analyzer into a cleanup tool.For safety when you’re working on production, run with-r(read-only) so accidental key presses can’t delete anything:sudo ncdu -r /varCopyRelated toolsncdu is the right tool when you want an interactive view of disk usage. For non-interactive one-liners (e.g., “top 10 directories by size”), the classicdu -sh */ | sort -rh | headstill works. For filesystem-level capacity and block usage on BtrFS, usebtrfs filesystem usage; for LVM thin pools,lvs. And if you just want to check that/tmpisn’t consuming disk because it’s not on its own filesystem, see our mount /tmp as tmpfs or separate partition guide.For a broader post-install toolkit on Rocky 10, see our post-install tips guide. For interactive process monitoring see our sshfs tutorial for mounting remote filesystems you can then scan locally. And if you’re analyzing a filesystem on a disk image that isn’t mounted, the qemu-img conversion guide shows how to flip the image into a formatguestmountcan open. For hardware-level checks to pair with disk analysis, the dmidecode reference covers the other half of the audit.