Shulou(Shulou.com)06/01 Report--

This article focuses on "how to use lsof commands under the Linux system". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use the lsof command under the Linux system.

Introduction to the lsof command:

Lsof (list open files) is a tool that lists files currently open by the system. In the linux environment, everything exists in the form of files, through which you can access not only regular data, but also network connections and hardware. Therefore, lsof is very powerful. The average root user can execute the lsof command, and the ordinary user can see the / usr/sbin/lsof command, but the average user execution will display "permission denied". So being able to view this list through the lsof tool will be very helpful for system monitoring and troubleshooting.

Interestingly, lsof is also one of the Linux/Unix commands with the most switches. It has so many switches, it has many options to support the use of the-and + prefixes.

Usage: [-? abhlnNoOPRstUvV] [+ |-c] [+ |-d s] [+ D D] [+ |-f [cgG]]

[- F [f]] [- g [s]] [- I [I]] [+ |-L [l]] [+ |-M] [- o [o]]

[- p s] [+ |-r [t]] [- S [t]] [- T [t]] [- u s] [+ |-w] [- x [fl]] [- -] [names]

As you can see, lsof has a really amazing number of options. You can use it to get information about devices on your system, and you can use it to know what a specified user is touching at a specified location, or even what files or network connections a process is using.

For me, lsof replaces all the work of netstat and ps. It can bring everything that those tools can bring, and it is much more than those tools. So, let's take a look at some of its basic capabilities:

Enter lsof under the terminal to display the files opened by the system. Because lsof needs to access core memory and various files, it must be run as a root user in order to give full play to its functions.

Each line displays one open file, and if you do not specify conditions, all files opened by all processes will be displayed by default. The significance of lsof's output of each column of information is as follows:

COMMAND: the name of the process

PID: process identifier

USER: process owner

FD: a file descriptor that the application recognizes by the file descriptor. Such as cwd, txt, etc.

TYPE: file type, such as DIR, REG, etc.

DEVICE: specifies the name of the disk

SIZE: the size of the file

NODE: Inode (identification of files on disk)

NAME: the exact name of the open file

The use of the lsof instruction is as follows:

Lsof abc.txt shows the process of opening the file abc.txt

Lsof directory name to find out who is using the file directory system

Key option

It is important to understand some of the key things about how lsof works. Most importantly, when you pass it an option, the default behavior is to perform an OR operation on the result. Therefore, if you use-I to pull out a list of ports and-p to pull out a list of processes, you will get both results by default.

Here are some other things to keep in mind:

Default: no option, lsof lists all open files for active processes

Combination: you can group options together, such as-abc, but be careful which options require parameters

-a: the result is an "and" operation (instead of "or")

-l: displays the user ID instead of the user name in the output

-h: get help

-t: only get the process ID

-U: get the UNIX socket address

-F: format the output for other commands. Can be formatted in a variety of ways, such as-F pcfn (for process id, command name, file descriptor, file name, and terminating empty)

Get network information

As I said, I mainly use lsof to get information about how the system interacts with the network. Here are some topics about this information:

Use-I to display all connections

Some people like to use netstat to get a network connection, but I prefer to use lsof to do this. The results are presented in an intuitive way for me, and I can get more information with the same command simply by changing my grammar.

The code is as follows:

# lsof-I

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

Dhcpcd 6061 root 4U IPv4 4510 UDP *: bootpc

Sshd 7703 root 3U IPv6 6499 TCP *: ssh (LISTEN)

Sshd 7892 root 3U IPv6 6757 TCP 10.10.1.5 TCP SSH-> 192.168.1.5 IPv6 49901 (ESTABLISHED)

Use-I 6 to get only IPv6 traffic

The code is as follows:

# lsof-I 6

Show only TCP connections (similarly, UDP connections can be obtained)

You can also display only TCP or UDP connection information by providing the corresponding protocol after-I.

The code is as follows:

# lsof-iTCP

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

Sshd 7703 root 3U IPv6 6499 TCP *: ssh (LISTEN)

Sshd 7892 root 3U IPv6 6757 TCP 10.10.1.5 TCP SSH-> 192.168.1.5 IPv6 49901 (ESTABLISHED)

Use-i:port to display network information related to the specified port

Alternatively, you can search through the port, which is great to find out what prevents another application from binding to the designated port.

The code is as follows:

# lsof-I: 22

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

Sshd 7703 root 3U IPv6 6499 TCP *: ssh (LISTEN)

Sshd 7892 root 3U IPv6 6757 TCP 10.10.1.5 TCP SSH-> 192.168.1.5 IPv6 49901 (ESTABLISHED)

Use @ host to display the specified connection to the specified host

This is useful when checking whether you have an open connection to a specified host on the network or on the Internet.

The code is as follows:

# lsof-iTunes 172.16.12.5

Sshd 7892 root 3U IPv6 6757 TCP 10.10.1.5 IPv6 SSH-> 172.16.12.5 IPv6 49901 (ESTABLISHED)

Display host-to-port-based connections using @ host:port

You can also combine the display information of the host and the port.

The code is as follows:

# lsof-iTunes 172.16.12.5 VR 22

Sshd 7892 root 3U IPv6 6757 TCP 10.10.1.5 IPv6 SSH-> 172.16.12.5 IPv6 49901 (ESTABLISHED)

Find the listening port

Find the port that is waiting to connect.

The code is as follows:

# lsof-I-sTCP:LISTEN

You can also grep "LISTEN" to accomplish this task.

The code is as follows:

# lsof-I | grep-I LISTEN

ITunes 400 daniel 16u IPv4 0x4575228 0t0 TCP *: daap (LISTEN)

Find the connection that has been established

You can also display any connections that have been connected.

The code is as follows:

# lsof-I-sTCP:ESTABLISHED

You can also do this by searching for "ESTABLISHED" on grep.

The code is as follows:

# lsof-I | grep-I ESTABLISHED

Firefox-b 169 daniel 49u IPv4 0t0 TCP 1.2.3.3 IPv4 0t0 TCP 1863-> 1.2.3.4:http (ESTABLISHED)

User information

You can also get information about all kinds of users and what they are doing on the system, including their network activities, manipulation of files, and so on.

Use-u to display what the specified user opened

The code is as follows:

# lsof-u daniel

-- snipped--

Dock 155 daniel txt REG 14,2 2798436 823208 / usr/lib/libicucore.A.dylib

Dock 155 daniel txt REG 14,2 1580212 823126 / usr/lib/libobjc.A.dylib

Dock 155 daniel txt REG 14,2 2934184 823498 / usr/lib/libstdc++.6.0.4.dylib

Dock 155 daniel txt REG 14,2 132008 823505 / usr/lib/libgcc_s.1.dylib

Dock 155 daniel txt REG 14,2 212160 823214 / usr/lib/libauto.dylib

-- snipped--

Use-u user to show what all users do except the specified user

The code is as follows:

# lsof-u ^ daniel

-- snipped--

Dock 155 jim txt REG 14,2 2798436 823208 / usr/lib/libicucore.A.dylib

Dock 155 jim txt REG 14,2 1580212 823126 / usr/lib/libobjc.A.dylib

Dock 155 jim txt REG 14,2 2934184 823498 / usr/lib/libstdc++.6.0.4.dylib

Dock 155 jim txt REG 14,2 132008 823505 / usr/lib/libgcc_s.1.dylib

Dock 155 jim txt REG 14,2 212160 823214 / usr/lib/libauto.dylib

-- snipped--

Kill everything done by a specified user

It's nice to be able to destroy everything that a given user runs.

The code is as follows:

# kill-9 `lsof-t-u Daniel`

Commands and processes

It is usually useful to see what starts a specified program or process, and you can use lsof to filter by name or process ID. Some options are listed below:

Use-c to view the files and network connections being used by the specified command

The code is as follows:

# lsof-c syslog-ng

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

Syslog-ng 7547 root cwd DIR 3,3 4096 2 /

Syslog-ng 7547 root rtd DIR 3,3 4096 2 /

Syslog-ng 7547 root txt REG 3,3 113524 1064970 / usr/sbin/syslog-ng

-- snipped--

Use-p to view what has been opened by the specified process ID

The code is as follows:

# lsof-p 10075

-- snipped--

Sshd 10068 root mem REG 3,3 34808 850407 / lib/libnss_files-2.4.so

Sshd 10068 root mem REG 3,3 34924 850409 / lib/libnss_nis-2.4.so

Sshd 10068 root mem REG 3,3 26596 850405 / lib/libnss_compat-2.4.so

Sshd 10068 root mem REG 3,3 200152 509940 / usr/lib/libssl.so.0.9.7

Sshd 10068 root mem REG 3,3 46216 510014 / usr/lib/liblber-2.3

Sshd 10068 root mem REG 3,3 59868 850413 / lib/libresolv-2.4.so

Sshd 10068 root mem REG 3,3 1197180 850396 / lib/libc-2.4.so

Sshd 10068 root mem REG 3,3 22168 850398 / lib/libcrypt-2.4.so

Sshd 10068 root mem REG 3,3 72784 850404 / lib/libnsl-2.4.so

Sshd 10068 root mem REG 3,3 70632 850417 / lib/libz.so.1.2.3

Sshd 10068 root mem REG 3,3 9992 850416 / lib/libutil-2.4.so

-- snipped--

The-t option returns only PID

The code is as follows:

# lsof-t-c Mail

three hundred and fifty

Files and directories

By looking at the specified file or directory, you can see all the resources on the system that are interacting with them-including users, processes, and so on.

Displays everything that interacts with the specified directory

The code is as follows:

# lsof / var/log/messages/

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

Syslog-ng 7547 root 4w REG 3,3 217309 834024 / var/log/messages

Displays everything that interacts with the specified file

The code is as follows:

# lsof / home/daniel/firewall_whitelist.txt

Advanced usage

Similar to tcpdump, it shows its power when you start to combine queries.

Show everything daniel does when connecting to 1.1.1.1

The code is as follows:

# lsof-u daniel-I @ 1.1.1.1

Bkdr 1893 daniel 3U IPv6 3456 TCP 10.10.1.10 IPv6 1234-> 1.1.1.1 IPv6 31337 (ESTABLISHED)

Use both the-t and-c options to send HUP signals to the process

The code is as follows:

# kill-HUP `lsof-t-c sshd`

Lsof + L1 displays all files with less than 1 open links

This usually (when not always) indicates that an attacker is trying to hide the contents of the file by deleting the file entry.

The code is as follows:

# lsof + L1

(hopefully nothing)

Show open connections for a range of ports

The code is as follows:

# lsof-I @ fw.google.com:2150=2180

At this point, I believe you have a deeper understanding of "how to use lsof commands under the Linux system". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.