How to use the lsof command 01/18 Update SLTechnology News&Howtos

How to use the lsof command

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use the lsof command. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Lsof is a Uber tool for system management / security. It's true to call this tool lsof because it means "list open files (lists openfiles)". One thing to keep in mind is that everything (including network sockets) in Unix is a file.

1. Use the lsof command to row out all open files

# lsof

This is a long list, including open files and networks.

Lsof1

The screenshot above contains many columns, such as PID, user, FD, TYPE, and so on.

FD-File descriptor

The FD column contains these values

Cwd-Current working directorytxt-Text filemem-Memory Mapped filemmap-Memory Mapped deviceNumber-It represent the actual file descriptor. For example, 0u, 1w and 3r

R means reading, w means writing, and u stands for reading and writing.

Type stands for file type, for example:

> REG-Regular file > DIR-Directory > CHR-Character special file > FIFO-First in first out

2, list the files opened by a user

# lsof-u user_name

Example:

# lsof-u crybitCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd 29609 crybit cwd DIR 144233 4096 117711421 / sshd 29609 crybit rtd DIR 144233 4096 117711421 / sshd 29609 crybit txt REG 144233 409488 119020186 / usr/sbin/sshdsshd 29609 crybit mem REG 144241 2443001619 (deleted) / dev/zero (stat: No such file or directory) sshd 29609 crybit mem REG 8 path dev=144233 37 119021850 / lib64/libnss_dns-2.5.so (path dev=144233) sshd 29609 crybit mem REG 8 37 119021984 / lib64/security/pam_succeed_if.so (path dev=144233) sshd 29609 crybit mem REG 8 37 119022000 / lib64/security/pam_limits.so (path dev=144233) sshd 29609 crybit mem REG 8 lib64/security/pam_keyinit.so 37 119021960 / lib64/security/pam_keyinit.so (path dev=144233) sshd 29609 crybit mem REG 8 37 119021972 / lib64/security/pam_cracklib.so (path dev=144233) sshd 29609 crybit mem REG 8 37 11902 1987 / lib64/security/pam_nologin.so (path dev=144233) sshd 29609 crybit mem REG 8 37 11902 1988 / lib64/security/pam_ Deny.so (path dev=144233) sshd 29609 crybit mem REG 8 deny.so 119019223 / usr/lib64/libcrack.so.2.8.0 (path dev=144233).

3, listing the processes running on a port

# lsof-I: port_number

Example:

# lsof-I: 22COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd root 3u IPv6 2281738844 0t0 TCP *: ssh (LISTEN) sshd 769 root 4U IPv4 2281738846 0t0 TCP *: ssh (LISTEN) # lsof-I: 3306COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEmysqld 11106 mysql 10u IPv4 2340975114 0t0 TCP *: mysql (LISTEN)

4. Only open files using IPv4 are listed.

# lsof-I 4-For IPv4

Example:

# lsof-I 4COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd 769 root 4U IPv4 2281738846 0t0 TCP *: ssh (LISTEN) named 8362 named 20u IPv4 2334751017 0t0 TCP localhost.localdomain:domain (LISTEN) named 8362 named 21U IPv4 2334751019 0t0 TCP crybit.com:domain (LISTEN) named 8362named 22u IPv4 2334751021 0t0 TCP localhost.localdomain:rndc (LISTEN) named 8362named 512u IPv4 2334751016 0t0 UDP localhost.localdomain : domainnamed 8362 named 513U IPv4 2334751018 0t0 UDP crybit.com:domaintcpserver 9975 root 3u IPv4 2335487959 0t0 TCP *: pop3 (LISTEN) tcpserver 9978 root 3u IPv4 2335487967 0t0 TCP *: pop3s (LISTEN) tcpserver 9983 root 3u IPv4 2335487997 0t0 TCP *: imap (LISTEN) tcpserver 9987 root 3u IPv4 2335488014 0t0 TCP *: imaps (LISTEN) xinetd 10413 root 5u IPv4 2336070983 0t0 TCP *: ftp (LISTEN) xinetd 10413 root 6u IPv4 2336070984 TCP *: smtp (LISTEN) mysqld 11106 mysql 10u IPv4 2340975114 0t0 TCP *: mysql (LISTEN) # lsof-I 6

Example:

# lsof-I 6COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd 769 root 3u IPv6 2281738844 0t0 TCP *: ssh (LISTEN) named 8362 named 23u IPv6 2334751024 0t0 TCP localhost.localdomain:rndc (LISTEN) httpd 29241 root 4U IPv6 2439777206 0t0 TCP *: http (LISTEN) httpd 29241 root 6u IPv6 2439777211 0t0 TCP *: https (LISTEN) httpd 29243 apache 4u IPv6 2439777206 0t0 TCP *: http (LISTEN) httpd 29243 apache 6U IPv6 2439777211 0t0 TCP *: https (LISTEN) httpd 29244 apache 4u IPv6 2439777206 0t0 TCP *: http (LISTEN) httpd 29244 apache 6u IPv6 2439777211 0t0 TCP *: https (LISTEN) httpd 29245 apache 4u IPv6 2439777206 0t0 TCP *: http (LISTEN) httpd 29245 apache 6u IPv6 2439777211 0t0 TCP *: https (LISTEN) httpd 29246 apache 4u IPv6 2439777206 0t0 TCP *: http (LISTEN)

5, listing all processes with ports between 1 and 1024

# lsof-I: 1-1024

Example:

# lsof-I: 1-1024COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd 769 root 3u IPv6 2281738844 0t0 TCP *: ssh (LISTEN) sshd 769 root 4U IPv4 2281738846 0t0 TCP *: ssh (LISTEN) named 8362 named 20u IPv4 2334751017 0t0 TCP localhost.localdomain:domain (LISTEN) named 8362 named 21u IPv4 2334751019 0t0 TCP crybit.com:domain (LISTEN) named 8362 named 22u IPv4 2334751021 0t0 TCP localhost.localdomain:rndc (LISTEN) named 8362 named 23u IPv6 2334751024 0t0 TCP localhost.localdomain:rndc (LISTEN) tcpserver 9975 root 3U IPv4 2335487959 0t0 TCP *: pop3 (LISTEN) tcpserver 9978 root 3u IPv4 2335487967 0t0 TCP *: pop3s (LISTEN) tcpserver 9983 root 3u IPv4 2335487997 0t0 TCP *: imap (LISTEN) tcpserver 9987 root 3u IPv4 2335488014 0t0 TCP *: imaps (LISTEN) xinetd 10413 root 5u IPv4 2336070983 0t0 TCP *: ) xinetd 10413 root 6u IPv4 2336070984 0t0 TCP *: smtp (LISTEN) httpd 29241 root 4U IPv6 2439777206 0t0 TCP *: http (LISTEN) httpd 29241 root 6u IPv6 2439777211 0t0 TCP *: https (LISTEN) httpd 29243 apache 4u IPv6 2439777206 0t0 TCP *: http (LISTEN).

6. List the open files according to the process id

# lsof-p PID

Example:

# lsof-p 11106COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEmysqld 11106 mysql cwd DIR 144233 4096 119025114 / var/lib/mysqlmysqld 11106 mysql rtd DIR 144233 4096 117711421 / mysqld 11106 mysql txt REG 144233 9484782 119025094 / usr/libexec/mysqldmysqld 119025094 / usr/libexec/mysqld (path dev=144233) mysqld 11106 mysql mem REG 8 lib64/libnss_dns-2.5.so 37 119021850 / lib64/libnss_dns-2.5.so (path dev=144233) mysqld 11106 mysql mem REG 8 37 119021830 / lib64/libnss_files-2.5.so (path dev=144233) mysqld 11106 mysql mem REG 8 37 119021841 / lib64/libsepol.so.1 (path dev=144233) mysqld 11106 mysql mem REG 8 37 119021801 / lib64/ Libselinux.so.1 (path dev=144233) mysqld 11106 mysql mem REG 8 mysqld 37 119021785 / lib64/libresolv-2.5.so (path dev=144233) mysqld 11106 mysql mem REG 8 37 119021920 / lib64/libkeyutils-1.2.so (path dev=144233) mysqld 11106 mysql mem REG 8 mysql mem REG 37 119017006 / usr/lib64/libkrb5support.so.0.1 (path dev=144233).

7. Kill all active processes of a user

# killall-9 `lsof-t-u username`

8, listing the files that are opened in a directory

# lsof + D path_of_the_directory

Example:

# lsof + D / var/log/COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsyslogd 9729 root 1w REG 144233 119019158 / var/log/kernelsyslogd 9729 root 2w REG 144233 350722 119021699 / var/log/messagessyslogd 9729 root 3w REG 144233 591577 119019159 / var/log/securesyslogd 9729 root 4w REG 144233 591577 119019159 / var/log/secure

9, list the open files by process name

# lsof-c process_name

Example:

# lsof-c sshCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd 483 root cwd DIR 8 root cwd DIR 9 4096 2 / sshd 483 root rtd DIR 8 root rtd DIR 9 4096 2 / sshd 483 root txt REG 8 record9 523488 1193409 / usr/sbin/sshd

10, listing all network connections

# lsof-I

This command lists all listening and established network connections Example:

# lsof-iCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd 769 root 3u IPv6 2281738844 0t0 TCP *: ssh (LISTEN) sshd 769 root 4U IPv4 2281738846 0t0 TCP *: ssh (LISTEN) named 8362 named 20u IPv4 2334751017 0t0 TCP localhost.localdomain:domain (LISTEN) named 8362 named 21u IPv4 2334751019 0t0 TCP crybit.com:domain (LISTEN) named 8362 named 22u IPv4 2334751021 0t0 TCP localhost.localdomain Rndc (LISTEN) named 8362 named 23u IPv6 2334751024 0t0 TCP localhost.localdomain:rndc (LISTEN) named 8362 named 512u IPv4 2334751016 0t0 UDP localhost.localdomain:domain

This is the end of this article on "how to use lsof commands". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.