Shulou(Shulou.com)06/01 Report--

This article mainly introduces how Linux uses the lsof command to restore deleted files, which is very detailed and has certain reference value. Friends who are interested must finish reading it!

Lsof command

The lsof command is used to view the file that your process starts, the process that opens the file, and the port that the process opens (TCP, UDP). Retrieve / recover deleted files. Is a very convenient system monitoring tool, because the lsof command requires access to core memory and various files, so it needs to be executed by root users.

In the linux environment, everything exists in the form of files, through which you can access not only regular data, but also network connections and hardware. Therefore, such as Transmission Control Protocol (TCP) and user Datagram Protocol (UDP) sockets, the system allocates a file descriptor to the application in the background, regardless of the nature of the file, the file descriptor provides a general interface for the interaction between the application and the underlying operating system. Because the descriptor list of the application's open files provides a lot of information about the application itself, being able to view this list through the lsof tool will be helpful for system monitoring and debugging.

Grammar

Lsof (option)

Parameters.

-a: lists the processes that exist to open the file

-c: lists the files opened by the specified process

-g: list the details of the GID process

-d: lists the processes that occupy the file number

+ d: list the files opened in the directory

+ D: recursively list the files opened in the directory

-n: lists files that use NFS

-I: list the processes that meet the criteria. (4, 6, protocol,: Port, @ ip)

-p: lists the files opened by the specified process number

-u: list the details of the UID process

-h: displays help information

-v: displays version information.

Use

View

Lsof-I: (Port) check which processes are accessing this port, such as port 22

Shell > lsof-iVera 22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1939 root 3u IPv4 12317 0t0 TCP *: ssh (LISTEN) sshd 1939 root 4U IPv6 12321 0t0 TCP *: ssh (LISTEN) sshd 2790 root 3u IPv4 15229 0t0 TCP 192.168.178.128 sshd SSH-> 192.168.178.128Fran 64601 (ESTABLISHED) sshd 2824 root 3u IPv4 15528 0t0 TCP 192.168.178.128 SSH-> 192.168. 178.1 root 64673 (ESTABLISHED) sshd 2990 root 3u IPv4 15984 0t0 TCP 192.168.178.128 IPv4 SSH-> 192.168.178.128 IPv4 SSH-> 192.168.178.128 IPv4 SSH-> 192.168.178.149662 (ESTABLISHED)

The significance of lsof's output of each column of information is as follows:

COMMAND: the name of the process

PID: process identifier

USER: process owner

FD: a file descriptor that the application recognizes by the file descriptor. Such as cwd, txt, etc.

TYPE: file type, such as DIR, REG, etc.

DEVICE: specifies the name of the disk

SIZE: the size of the file

NODE: Inode (identification of files on disk)

NAME: the exact name of the open file

Restore Fil

Some system logs can be restored with lsof, provided that the process exists. Here, take the most commonly used / var/log/messages as an example. When you do the test, you will make a backup first.

# backup shell > cp / var/log/message / var/log/message_bac http://embeddedlinux.org.cn/ shell > lsof | grep / var/log/message rsyslogd 1737 root 1w REG 8 2 5716123 652638 / var/log/messages

The process is running, and then I delete the file / var/log/messages

Shell > rm / var/log/messages

After deleting it, I'll take a look at the changes in this process.

Shell > lsof | grep / var/log/messages rsyslogd 1737 root 1w REG 8 5716123 652638 / var/log/messages (deleted)

You can see that there is a change, after comparing the two, you find that there is more (deleted). To find out where this file is, we need to see this.

PID:1737 FD:1, then we have to go directly to / proc/1737/FD/1 and check it out with ll.

Shell > cd / proc/1737/fd/ shell > ll total 0 lrwx- 1 root root 64 Dec 23 13:00 0-> socket: [11442] l var/log/messages WX-1 root root 64 Dec 23 13:00 1-> / var/log/messages (deleted) L var/log/messages WX-1 root root 64 Dec 23 13:00 2-> / var/log/secure lr-x- 1 root root 64 Dec 23 13:00 3-> / proc/kmsg l -wx- 1 root root 64 Dec 23 13:00 4-> / var/log/maillog

See 1 corresponding to / var/log/messages (deleted) to see if the file is what we want:

Shell > head-51 Nov 14 03:11:11 localhost kernel: imklog 5.8.10, log source = / proc/kmsg started. Nov 14 03:11:11 localhost rsyslogd: [origin software= "rsyslogd" swVersion= "5.8.10" x localhost kernel id = "1241" x origin software= 14 03:11:11 localhost kernel: Initializing cgroup subsys cpuset Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpu Nov 14 03:11:11 localhost kernel: Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.CentOS.org) (gcc version 4.4 .7 20120313 (Red Hat 4.4.7-4) (GCC) # 1 SMP Fri Nov 22 03:15:09 UTC 2013

Compare backup files:

Shell > head-5 / var/log/message_bac Nov 14 03:11:11 localhost kernel: imklog 5.8.10, log source = / proc/kmsg started. Nov 14 03:11:11 localhost rsyslogd: [origin software= "rsyslogd" swVersion= "5.8.10" x localhost kernel id = "1241" x origin software= 14 03:11:11 localhost kernel: Initializing cgroup subsys cpuset Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpu Nov 14 03:11:11 localhost kernel: Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4 .7 20120313 (Red Hat 4.4.7-4) (GCC) # 1 SMP Fri Nov 22 03:15:09 UTC 2013

Compare and find that the data is the same, restore

Shell > cat 1 > / var/log/messages

Once again, the premise of recovery is that the process must exist.

The above is all the contents of the article "how to recover deleted files by Linux using lsof command". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.