Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to use the lsof command in linux to view the file opening. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Introduction to the practical usage of lsof command

Lsof is the abbreviation of list open files. It has a lot of parameters, but we only introduce some practical uses here (note that some cases require root permission to execute).

View all currently open files

Generally speaking, typing the lsof command directly produces so many results that it may be difficult to find the information we need. However, I would like to take this opportunity to explain what information is contained in a record.

$lsof (here selects a record to show) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEvi 27940 hyb 7u REG 8 15 16384 137573 / home/hyb/.1.txt.swp

The results displayed by lsof are represented from left to right: the program name of the open file, process id, user, file descriptor, file type, device, size, iNode number, file name.

Let's take a look at the columns we know for a moment. This record indicates that the vi program with a process id of 27940 opened a normal file (REG regular file) .1.txt.swap in the / home/hyb directory with a file description value of 7 and in a read-write state, with a current size of 16384 bytes.

List files that have been deleted but take up space

In a production environment, we may use the df command to see that the disk is full of space, but it is actually difficult to find a file that takes up space, often because a large file is deleted, but it is opened by a process, resulting in no trace of it in a normal way, the most common of which is log files. We can find files like this through lsof:

$lsof | grep deletedXorg 1131 root 125u REG 0Magol 5 4 61026 / memfd:xshmfence (deleted) Xorg 1131 root 126u REG 0Magne5 4 62913 / memfd:xshmfence (deleted) Xorg 1131 root 129u REG 0Magol 5 4 74609 / memfd:xshmfence (deleted)

You can see these deleted but still opened files, and when they are finally found, they will be marked deleted. At this time, we can analyze according to the actual situation, which files may be too large but have been deleted, resulting in the space is still full.

Restore files that are open but deleted

Previously, we can find the file that was deleted but still opened. In fact, the file did not really disappear. If it was deleted accidentally, we still have the means to restore it. Take the / var/log/syslog file as an example, let's delete it first (root user):

$rm / var/log/syslog

Then use lsof to see which process opens the file:

$lsof | grep syslogrs:main 993 1119 syslog 5w REG 8 78419 528470 / var/log/syslog (deleted)

We can find that the process whose id is 993 opened the file, and we know that each process has a record of the file descriptor opened under / proc:

$ls-l / proc/993/fdlr-x- 1 root root 64 March 5 18:30 0-> / dev/nulll-wx- 1 root root 64 March 5 18:30 1-> / dev/nulll-wx- 1 root root 64 March 5 18:30 2-> / dev/nulllrwx- 1 root root 64 March 5 18:30 3-> socket: [15032] lr-x- 1 root Root 64 March 5 18:30 4-> / proc/kmsgl-wx- 1 root root 64 March 5 18:30 5-> / var/log/syslog (deleted) lmurwx1 root root 64 March 5 18:30 6-> / var/log/auth.log

Here we find the deleted syslog file, the file descriptor is 5, and we redirect it:

$cat / proc/993/fd/5 > syslog$ ls-al / var/log/syslog-rw-r--r-- 1 root root 78493 March 5 19:22 / var/log/syslog

This allows us to restore the syslog file.

See which processes the current file is opened by

Windows is often encountered to delete a file, and then tell you that a program is in use, but does not tell you which program it is. We can search for a file at the handle associated with Explorer-performance-Resource Monitor-cpu- to find the program that opens the file, but the search speed is touching.

Linux is relatively easy, just use the lsof command, such as to see which programs currently have hello.c open:

$lsof hello.cCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEtail 28731 hyb 3r REG 8 15228 138441 hello.c

However, we will find that the hello.c opened with vi is not found because vi opens a temporary copy. Let's find it another way:

$lsof | grep hello.ctail 28906 hyb 3r REG 8JI 15228 138441 / home/hyb/workspaces/c/hello.cvi 28933 hyb 9u REG 8JI 15 12288 137573 / home/hyb/workspaces/c/.hello.c.swp

So we found two programs related to the hello.c file.

The role of grep here is to list only those that meet the criteria from all the results.

Check how a directory file is opened

$lsof + D. /

See which files are open by the current process

Usage: lsof-c process name

It is commonly used for programs to locate problems, such as to see which libraries are used by the current process, which files are opened, and so on. Suppose you have a hello program that circulates printing characters:

Lsof-c helloCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEhello 29190 hyb cwd DIR 8 15 4096 134538 / home/hyb/workspaces/chello 29190 hyb rtd DIR 8 10 4096 2 / hello 29190 hyb txt REG 8 hyb txt REG 15 9816 138314 / home/hyb/workspaces/c/hellohello 29190 hyb mem REG 8 hyb mem REG 10 162632 926913 / lib/x86_64-linux-gnu/ld-2.23.sohello 29190 hyb 0u CHR 136 CHR 20 0t0 23 / dev/pts/20hello 29190 Hyb 1u CHR 136,20 0t0 23 / dev/pts/20hello 29190 hyb 2u CHR 136,20 0t0 23 / dev/pts/20

We can see that at least it uses the / lib/x86_64-linux-gnu/libc-2.23.so and hello files.

You can also view it through the process id, which can be separated from multiple process id by commas:

$lsof-p 29190COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEhello 29190 hyb cwd DIR 8 hyb mem REG 15 4096 134538 / home/hyb/workspaces/chello 29190 hyb rtd DIR 8 hyb 10 4096 2 / hello 29190 hyb txt REG 8 hyb txt REG 15 9816 138314 / home/hyb/workspaces/c/hellohello 29190 hyb mem REG 8 101868984 939763 / lib/x86_64-linux-gnu/libc-2.23.sohello 29190 hyb mem REG 8 hyb 0u CHR 136jue 20 0t0 23 / dev/pts/20hello 29190 Hyb 1u CHR 136,20 0t0 23 / dev/pts/20hello 29190 hyb 2u CHR 136,20 0t0 23 / dev/pts/20

Of course, there is another way, which is to use the proc file system to first find the process id of the hello process:

$ps-ef | grep hellohyb 29190 27929 0 21:14 pts/20 00:00:00. / hello 2hyb 29296 28848 0 21:18 pts/22 00:00:00 grep-- color=auto hello

You can see that the process id is 29190. View the process file description record directory:

$ls-l / proc/29190/fdlrwx- 1 hyb hyb 64 March 2 21:14 0-> / dev/pts/20lrwx- 1 hyb hyb 64 March 2 21:14 1-> / dev/pts/20lrwx- 1 hyb hyb 64 March 2 21:14 2-> / dev/pts/20

This method can filter a lot of information, because it only lists what the process actually opened, and here it only opens 0graine 1, 2, that is, standard input, standard output, and standard error.

Check whether a port is occupied

There are always port occupancy problems when using a database or enabling web services, so how do you check to see if a port is occupied?

$lsof-I: 6379COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEredis-ser 29389 hyb 6u IPv6 534612 0t0 TCP *: 6379 (LISTEN) redis-ser 29389 hyb 7u IPv4 534613 0t0 TCP *: 6379 (LISTEN)

You can see here that the redis-ser process occupies port 6379.

View all TCP/UDP connections

$lsof-I tcpava 2534 hyb 6u IPv6 31275 0t0 TCP localhost:9614 (LISTEN) java 2534 hyb 22u IPv6 96922 0t0 TCP localhost:9614- > localhost:39004 (ESTABLISHED) java 2534 hyb 23u IPv6 249588 0t0 TCP localhost:9614- > localhost:45460 (ESTABLISHED)

Of course, we can also use the netstat command.

$netstat-anp | grep 6379

The-I parameter here can be subject to a variety of conditions:

-I 4 # ipv4 address

-I 6 # ipv6 address

-I tcp # tcp connection

-I: 3306 # port

-I @ ip # ip address

So when you need to view a connection to an ip address, you can use the following ways:

$lsof-iTunes 127.0.0.1

See which files have been opened by a user

Linux is a multi-user operating system, how do you know which files are opened by other ordinary users? You can use the-u parameter

$lsof-u hyb (too much content, omitted)

List files opened by a process or a user

It is actually similar to the previous method, except that the process id or user name is preceded by ^, for example:

Lsof-p ^ 1 # list files opened except for process id 1 lsof-u ^ root # list files opened except for root users

Summary

The above description is based on one condition. In fact, multiple conditions can be combined, such as listing the tcp socket files opened by a process with a process id of 1:

Lsof-p 1-I tcp what is a Linux system Linux is a free to use and freely spread UNIX-like operating system, is a POSIX-based multi-user, multi-tasking, multi-threading and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

The above is the editor for you to share how to use the lsof command in linux to view the file opening, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.