Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use the lsof command in Linux, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Lsof (list open files) is a tool that lists files currently open by the system. In the linux environment, everything exists in the form of files, through which you can access not only regular data, but also network connections and hardware. Therefore, such as Transmission Control Protocol (TCP) and user Datagram Protocol (UDP) sockets, the system allocates a file descriptor to the application in the background, regardless of the nature of the file, the file descriptor provides a general interface for the interaction between the application and the underlying operating system. Because the descriptor list of the application's open files provides a lot of information about the application itself, being able to view this list through the lsof tool will be helpful for system monitoring and debugging. Lsof can only be executed with root privileges.

1. Command format

Lsof (option)

2. Option parameters

-a: lists the processes that exist to open the file

-c: lists the files opened by the specified process

-g: list the details of the GID process

-d: lists the processes that occupy the file number

+ d: list the files opened in the directory

+ D: recursively list the files opened in the directory

-n: lists files that use NFS

-I: list the processes that meet the criteria. (4, 6, protocol,: Port, @ ip)

-p: lists the files opened by the specified process number

-u: list the details of the UID process

-h: displays help information

-v: displays version information.

3. Use examples (take CentOS 7 version as an example)

Example 1: displays a list of all files currently open on the Linux system (top 40 items)

[root@wjq ~] # lsof | head-40

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Systemd 1 root cwd DIR 253,0 4096 64 /

Systemd 1 root rtd DIR 253,0 4096 64 /

Systemd 1 root txt REG 253,0 1482128 4221 / usr/lib/systemd/systemd

Systemd 1 root mem REG 253,0 20040 33683824 / usr/lib64/libuuid.so.1.3.0

Systemd 1 root mem REG 253,0 256960 33895489 / usr/lib64/libblkid.so.1.1.0

Systemd 1 root mem REG 253,0 90664 33683808 / usr/lib64/libz.so.1.2.7

Systemd 1 root mem REG 253,0 157424 33683835 / usr/lib64/liblzma.so.5.2.2

Systemd 1 root mem REG 253,0 23968 33683981 / usr/lib64/libcap-ng.so.0.0.0

Systemd 1 root mem REG 253,0 19888 33684065 / usr/lib64/libattr.so.1.1.0

Systemd 1 root mem REG 253,0 19344 33620992 / usr/lib64/libdl-2.17.so

Systemd 1 root mem REG 253,0 398264 33683764 / usr/lib64/libpcre.so.1.2.0

Systemd 1 root mem REG 253,0 2116736 33620986 / usr/lib64/libc-2.17.so

Systemd 1 root mem REG 253,0 143352 33621012 / usr/lib64/libpthread-2.17.so

Systemd 1 root mem REG 253 0 88720 33554508 / usr/lib64/libgcc_s-4.8.5-20150702.so.1

Systemd 1 root mem REG 253,0 43928 33621016 / usr/lib64/librt-2.17.so

Systemd 1 root mem REG 253,0 265008 33895601 / usr/lib64/libmount.so.1.1.0

Systemd 1 root mem REG 253,0 91792 33858785 / usr/lib64/libkmod.so.2.2.10

Systemd 1 root mem REG 253,0 122936 33683983 / usr/lib64/libaudit.so.1.0.0

Systemd 1 root mem REG 253,0 61672 33941999 / usr/lib64/libpam.so.0.83.1

Systemd 1 root mem REG 253,0 20024 33684068 / usr/lib64/libcap.so.2.22

Systemd 1 root mem REG 253,0 155744 33683773 / usr/lib64/libselinux.so.1

Systemd 1 root mem REG 253,0 155064 33620979 / usr/lib64/ld-2.17.so

Systemd 1 root 0u CHR 1,3 0t0 4787 / dev/null

Systemd 1 root 1u CHR 1,3 0t0 4787 / dev/null

Systemd 1 root 2u CHR 1,3 0t0 4787 / dev/null

Systemd 1 root 3u a_inode 0,9 0 4783 [timerfd]

Systemd 1 root 4u a_inode 0,9 0 4783 [eventpoll]

Systemd 1 root 5u a_inode 0,9 0 4783 [signalfd]

Systemd 1 root 6r DIR 0,20 0 6749 / sys/fs/cgroup/systemd

Systemd 1 root 7u a_inode 0,9 0 4783 [timerfd]

Systemd 1 root 8u netlink 0t0 11369 KOBJECT_UEVENT

Systemd 1 root 9r REG 0,3 0 7007 / proc/1/mountinfo

Systemd 1 root 10r a_inode 0,9 0 4783 inotify

Systemd 1 root 11r REG 0,3 0 4026532019 / proc/swaps

Systemd 1 root 12u unix 0xffff880035cef000 0t0 11376 / run/systemd/private

Systemd 1 root 14r a_inode 0,9 0 4783 inotify

Systemd 1 root 19u netlink 0t0 11381 AUDIT

Systemd 1 root 20u FIFO 0,18 0t0 11405 / run/systemd/initctl/fifo

Systemd 1 root 21u unix 0xffff880035cefc00 0t0 11413 / run/lvm/lvmetad.socket

Description:

Each line displays one open file, and if you do not specify conditions, all files opened by all processes will be displayed by default.

The significance of lsof's output of each column of information is as follows:

COMMAND: name of the process PID: process identifier

USER: process owner

FD: a file descriptor that the application recognizes by the file descriptor. Such as cwd, txt, etc.

(1) cwd: indicates current work dirctory, that is, the current working directory of the application, which is the directory where the application starts, unless it makes changes to the directory itself

(2) txt: this type of file is program code, such as the application binaries themselves or shared libraries, such as the / sbin/init program shown in the list above

(3) Lnn:library references (AIX)

(4) er:FD information error (see NAME column)

(5) jld:jail directory (FreeBSD)

(6) ltx:shared library text (code and data)

7) Mxx: hex memory-mapped type number xx.

(8) m86:DOS Merge mapped file

(9) mem:memory-mapped file

(10) mmap:memory-mapped device

(11) pd:parent directory

(12) rtd:root directory

(13) tr:kernel trace file (OpenBSD)

(14) v86 VP/ix mapped file

(15) 0: indicates standard output

(16) 1: indicates standard input

(17) 2: indicates standard error

Generally, standard output, standard error, standard input are followed by file status mode: r, w, u, etc.

(1) u: indicates that the file is open and in read / write mode

(2) r: indicates that the file is open and in read-only mode

(3) w: indicates that the file is opened and in

(4) Space: indicates that the status mode of the file is unknow and is not locked.

(5) -: indicates that the status mode of the file is unknow and is locked

At the same time, the file status mode is followed by the relevant locks.

(1) N:for a Solaris NFS lock of unknown type

(2) r:for read lock on part of the file

(3) R:for a read lock on the entire file

(4) w:for a write lock on part of the file; (partial write lock of the document)

(5) W:for a write lock on the entire file; (write lock of the whole document)

(6) u:for a read and write lock of any length

(7) U:for a lock of unknown type

(8) x:for an SCO OpenServer Xenix lock on part of the file

(9) X:for an SCO OpenServer Xenix lock on the entire file

(10) space:if there is no lock.

TYPE: file type, such as DIR, REG, etc.

(1) DIR: indicates the directory

(2) CHR: indicates the character type

(3) BLK: block device type

(4) UNIX: UNIX domain socket

(5) FIFO: first in first out (FIFO) queue

(6) IPv4: Internet Protocol (IP) socket

DEVICE: specifies the name of the disk

SIZE: the size of the file

NODE: Inode (identification of files on disk)

NAME: the exact name of the open file

Example 2: find out who is using the file system

When you unmount a file system, if there are any open files in the file system, the operation will usually fail. Then you can find out which processes are using the file system to be unmounted through lsof, as follows:

[root@wjq ~] # lsof / home

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Tnslsnr 3780 oracle cwd DIR 253,2 4096 71 / home/oracle

Bash 27386 root cwd DIR 253,2 4096 71 / home/oracle

Vim 27442 root cwd DIR 253,2 4096 71 / home/oracle

Vim 27442 root 3u REG 253,2 4096 114 / home/oracle/.1.txt.swp

In this example, the user root is doing something in his / home/oracle directory. One bash is running and its current directory is / home/oracle, while the other shows that vim is editing the file 1.txt under / home/oracle. To successfully uninstall / home/oracle, you should abort these processes after notifying the user to ensure that the situation is normal. This example shows that the application's current working directory is important because it still holds file resources and prevents the file system from being unmounted. This is why most daemons (background processes) change their directories to root, or service-specific directories (such as / var/spool/mqueue in the sendmail example) to prevent the daemon from preventing unrelated file systems from being unmounted.

Example 3: see who is using a file, that is, to find a process related to a file

[root@wjq ~] # lsof / bin/bash

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Ksmtuned 660 root txt REG 253,0 960392 85563 / usr/bin/bash

Mysqld_sa 994 mysql txt REG 253,0 960392 85563 / usr/bin/bash

Bash 27094 root txt REG 253,0 960392 85563 / usr/bin/bash

Bash 27386 root txt REG 253,0 960392 85563 / usr/bin/bash

Example 4: recursively find the file information of a directory

[root@wjq ~] # lsof + D / etc/

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Systemd-u 507 root mem REG 253,0 7289802 67164582 / etc/udev/hwdb.bin

Systemd-u 507 root 6r REG 253,0 7289802 67164582 / etc/udev/hwdb.bin

Avahi-dae 632 avahi cwd DIR 253,0 71 102480993 / etc/avahi

Avahi-dae 632 avahi rtd DIR 253,0 71 102480993 / etc/avahi

Cupsd 931 root 10r REG 253,0 2392 69280429 / etc/passwd

Gnome-ses 1459 gdm mem REG 253,0 395 102699532 / etc/dconf/db/distro

Gnome-ses 1459 gdm mem REG 253,0 104 102656452 / etc/dconf/db/site

Gnome-ses 1459 gdm mem REG 253,0 104 101248845 / etc/dconf/db/local

Gnome-ses 1459 gdm mem REG 253,0 104 100950876 / etc/dconf/db/gdm

At-spi-bu 1466 gdm mem REG 253,0 395 102699532 / etc/dconf/db/distro

At-spi-bu 1466 gdm mem REG 253,0 104 102656452 / etc/dconf/db/site

At-spi-bu 1466 gdm mem REG 253,0 104 101248845 / etc/dconf/db/local

At-spi-bu 1466 gdm mem REG 253,0 104 100950876 / etc/dconf/db/gdm

Gnome-set 1482 gdm mem REG 253,0 395 102699532 / etc/dconf/db/distro

Gnome-set 1482 gdm mem REG 253,0 104 102656452 / etc/dconf/db/site

Gnome-set 1482 gdm mem REG 253,0 104 101248845 / etc/dconf/db/local

Gnome-set 1482 gdm mem REG 253,0 104 100950876 / etc/dconf/db/gdm

Gnome-set 1482 gdm 14r REG 253,0 65536 34100937 / etc/pki/nssdb/cert8.db

Gnome-set 1482 gdm 16r REG 253,0 16384 34100939 / etc/pki/nssdb/key3.db

Gnome-she 1513 gdm mem REG 253,0 395 102699532 / etc/dconf/db/distro

Gnome-she 1513 gdm mem REG 253,0 104 102656452 / etc/dconf/db/site

Gnome-she 1513 gdm mem REG 253,0 104 101248845 / etc/dconf/db/local

Gnome-she 1513 gdm mem REG 253,0 104 100950876 / etc/dconf/db/gdm

Ibus-dcon 1548 gdm mem REG 253,0 395 102699532 / etc/dconf/db/distro

Ibus-dcon 1548 gdm mem REG 253,0 104 102656452 / etc/dconf/db/site

Ibus-dcon 1548 gdm mem REG 253,0 104 101248845 / etc/dconf/db/local

Ibus-dcon 1548 gdm mem REG 253,0 104 100950876 / etc/dconf/db/gdm

Mission-c 1557 gdm mem REG 253,0 395 102699532 / etc/dconf/db/distro

Mission-c 1557 gdm mem REG 253,0 104 102656452 / etc/dconf/db/site

Mission-c 1557 gdm mem REG 253,0 104 101248845 / etc/dconf/db/local

Mission-c 1557 gdm mem REG 253,0 104 100950876 / etc/dconf/db/gdm

Goa-daemo 1580 gdm mem REG 253,0 395 102699532 / etc/dconf/db/distro

Goa-daemo 1580 gdm mem REG 253,0 104 102656452 / etc/dconf/db/site

Goa-daemo 1580 gdm mem REG 253,0 104 101248845 / etc/dconf/db/local

Goa-daemo 1580 gdm mem REG 253,0 104 100950876 / etc/dconf/db/gdm

Example 5: view the file information opened by a user

[root@wjq ~] # lsof-u oracle | head-40

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Oracle 1832 oracle cwd DIR 253,0 164 33584428 / u01/app/oracle/product/11.2.0/dbhome_1/dbs

Oracle 1832 oracle rtd DIR 253,0 4096 64 /

Oracle 1832 oracle txt REG 253,0 239520824 104141161 / u01/app/oracle/product/11.2.0/dbhome_1/bin/oracle

Oracle 1832 oracle mem REG 0,17 16777216 25163 / dev/shm/ora_seiang11g_131073_0

Oracle 1832 oracle mem REG 0,17 0 25167 / dev/shm/ora_seiang11g_163842_0

Oracle 1832 oracle mem REG 0,17 0 25168 / dev/shm/ora_seiang11g_163842_1

Oracle 1832 oracle mem REG 0,17 0 25169 / dev/shm/ora_seiang11g_163842_2

Oracle 1832 oracle mem REG 0,17 0 25170 / dev/shm/ora_seiang11g_163842_3

Oracle 1832 oracle mem REG 0,17 0 25171 / dev/shm/ora_seiang11g_163842_4

Oracle 1832 oracle mem REG 0,17 0 25172 / dev/shm/ora_seiang11g_163842_5

Oracle 1832 oracle mem REG 0,17 0 25173 / dev/shm/ora_seiang11g_163842_6

Oracle 1832 oracle mem REG 0,17 0 25174 / dev/shm/ora_seiang11g_163842_7

Oracle 27596 oracle mem CHR 1,5 4789 / dev/zero

Oracle 27596 oracle mem REG 253,0 61752 33621004 / usr/lib64/libnss_files-2.17.so

Oracle 27596 oracle mem REG 253 88720 33554508 / usr/lib64/libgcc_s-4.8.5-20150702.so.1

Oracle 27596 oracle mem REG 253,0 50712 33858575 / usr/lib64/libnuma.so.1

Oracle 27596 oracle mem REG 253,0 2116736 33620986 / usr/lib64/libc-2.17.so

Oracle 27596 oracle mem REG 253,0 113152 33620996 / usr/lib64/libnsl-2.17.so

Oracle 27596 oracle mem REG 253,0 143352 33621012 / usr/lib64/libpthread-2.17.so

Oracle 27596 oracle mem REG 253,0 1141456 33620994 / usr/lib64/libm-2.17.so

Oracle 27596 oracle mem REG 253,0 19344 33620992 / usr/lib64/libdl-2.17.so

Oracle 27596 oracle mem REG 253,0 6264 33858589 / usr/lib64/libaio.so.1.0.1

…… (line N is omitted here)

Oracle 27596 oracle mem REG 253,0 156012 72091029 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libocrutl11.so

Oracle 27596 oracle mem REG 253,0 3354840 72091028 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libocrb11.so

Oracle 27596 oracle mem REG 253,0 1612720 72091027 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libocr11.so

Oracle 27596 oracle mem REG 253,0 12787 69872407 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libskgxn2.so

Oracle 27596 oracle mem REG 253,0 17647384 72091023 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libhasgen11.so

Oracle 27596 oracle mem REG 253,0 161796 69872194 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libdbcfg11.so

Oracle 27596 oracle mem REG 253,0 241443 72091025 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libclsra11.so

Oracle 27596 oracle mem REG 253,0 7996693 72151264 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libnnz11.so

Oracle 27596 oracle mem REG 253,0 43928 33621016 / usr/lib64/librt-2.17.so

Oracle 27596 oracle mem REG 253,0 1133264 71108630 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libskgxp11.so

Oracle 27596 oracle mem REG 253,0 720412 72151276 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libcell11.so

Oracle 27596 oracle mem REG 253,0 155064 33620979 / usr/lib64/ld-2.17.so

Oracle 27596 oracle DEL REG 0,10 1628455 / [aio]

Oracle 27596 oracle mem REG 253,0 12291 70011741 / u01/app/oracle/product/11.2.0/dbhome_1/lib/libodmd11.so

Oracle 27596 oracle 0r CHR 1,3 0t0 4787 / dev/null

Oracle 27596 oracle 1w CHR 1,3 0t0 4787 / dev/null

Oracle 27596 oracle 2w CHR 1,3 0t0 4787 / dev/null

Oracle 27596 oracle 3r CHR 1,3 0t0 4787 / dev/null

-- lists the information of files opened outside a user

[root@wjq ~] # lsof-u ^ root

Description: ^ this symbol will not be displayed for processes opened by root users before the user name.

Example 6: list the file information opened by a process

[root@wjq ~] # lsof-c mysql

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld_sa 994 mysql cwd DIR 253,0 4096 64 /

Mysqld_sa 994 mysql rtd DIR 253,0 4096 64 /

Mysqld_sa 994 mysql txt REG 253,0 960392 85563 / usr/bin/bash

Mysqld_sa 994 mysql mem REG 253,0 106070960 85554 / usr/lib/locale/locale-archive

…… (line N is omitted here)

Mysqld 1178 mysql 19u REG 253,0 532 48713024 / var/lib/mysql/mysql/user.MYD

Mysqld 1178 mysql 20u REG 253,0 5120 48713017 / var/lib/mysql/mysql/db.MYI

Mysqld 1178 mysql 21u REG 253,0 880 48713018 / var/lib/mysql/mysql/db.MYD

Mysqld 1178 mysql 22u REG 253,0 5120 50288030 / var/lib/mysql/mysql/proxies_priv.MYI

Mysqld 1178 mysql 23u REG 253,0 1386 50288031 / var/lib/mysql/mysql/proxies_priv.MYD

Mysqld 1178 mysql 24u REG 253,0 4096 48713035 / var/lib/mysql/mysql/tables_priv.MYI

Mysqld 1178 mysql 25u REG 253,0 0 48713036 / var/lib/mysql/mysql/tables_priv.MYD

Mysqld 1178 mysql 26u REG 253,0 4096 48713038 / var/lib/mysql/mysql/columns_priv.MYI

Mysqld 1178 mysql 27u REG 253,0 0 48713039 / var/lib/mysql/mysql/columns_priv.MYD

Mysqld 1178 mysql 28u REG 253,0 4096 50288015 / var/lib/mysql/mysql/procs_priv.MYI

Mysqld 1178 mysql 29u REG 253,0 0 50288016 / var/lib/mysql/mysql/procs_priv.MYD

Mysqld 1178 mysql 30u REG 253,0 1024 48713032 / var/lib/mysql/mysql/servers.MYI

Mysqld 1178 mysql 31u REG 253,0 0 48713033 / var/lib/mysql/mysql/servers.MYD

Mysqld 1178 mysql 32u REG 253,0 2048 50288024 / var/lib/mysql/mysql/event.MYI

Mysqld 1178 mysql 33u REG 253,0 0 50288025 / var/lib/mysql/mysql/event.MYD

-- lists the file information opened by multiple processes

[root@wjq] # lsof-c mysql-c sshd

-- lists the file information opened by a user in a process

[root@wjq] # lsof-c sshd-u oracle

Example 7: list the file information corresponding to multiple process numbers

[root@wjq] # lsof-p 2pm 3je 9

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Kthreadd 2 root cwd DIR 253,0 4096 64 /

Kthreadd 2 root rtd DIR 253,0 4096 64 /

Kthreadd 2 root txt unknown / proc/2/exe

Ksoftirqd 3 root cwd DIR 253,0 4096 64 /

Ksoftirqd 3 root rtd DIR 253,0 4096 64 /

Ksoftirqd 3 root txt unknown / proc/3/exe

Rcu_sched 9 root cwd DIR 253,0 4096 64 /

Rcu_sched 9 root rtd DIR 253,0 4096 64 /

Rcu_sched 9 root txt unknown / proc/9/exe

-- lists information about opening files for processes other than a process number

[root@wjq ~] # lsof-p ^ 2

Example 8: list all network connections

[root@wjq] # lsof-I

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Systemd 1 root 38U IPv6 14043 0t0 TCP *: sunrpc (LISTEN)

Systemd 1 root 39U IPv4 14044 0t0 TCP *: sunrpc (LISTEN)

Avahi-dae 632 avahi 12u IPv4 16000 0t0 UDP *: mdns

Avahi-dae 632 avahi 13u IPv4 16001 0t0 UDP *: 59037

Cupsd 931 root 11u IPv6 20259 0t0 TCP localhost:ipp (LISTEN)

Cupsd 931 root 12u IPv4 20260 0t0 TCP localhost:ipp (LISTEN)

Httpd 940 root 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Sshd 978 root 3U IPv4 19298 0t0 TCP *: ssh (LISTEN)

Sshd 978 root 4U IPv6 19307 0t0 TCP *: ssh (LISTEN)

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

Master 1239 root 13u IPv4 20739 0t0 TCP localhost:smtp (LISTEN)

Master 1239 root 14u IPv6 20740 0t0 TCP localhost:smtp (LISTEN)

Httpd 1330 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1331 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1332 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1333 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1334 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Dnsmasq 1386 nobody 3U IPv4 21368 0t0 UDP *: bootps

Dnsmasq 1386 nobody 5u IPv4 21375 0t0 UDP wjq.comsys.com:domain

Dnsmasq 1386 nobody 6u IPv4 21376 0t0 TCP wjq.comsys.com:domain (LISTEN)

Oracle 1832 oracle 9u IPv6 25267 0t0 UDP localhost:41804

Oracle 1832 oracle 12u IPv4 44942 0t0 TCP wjq.comsys.com:58605- > wjq.comsys.com:ncube-lm (ESTABLISHED)

Oracle 1852 oracle 14u IPv6 30917 0t0 UDP *: 56442

Oracle 1860 oracle 14u IPv6 25837 0t0 UDP *: 44721

Oracle 1864 oracle 9u IPv6 25506 0t0 UDP localhost:18001

Oracle 1864 oracle 10u IPv6 25509 0t0 TCP *: 28327 (LISTEN)

Oracle 1866 oracle 9u IPv6 25501 0t0 UDP localhost:17685

Tnslsnr 3780 oracle 8u IPv6 44829 0t0 TCP *: ncube-lm (LISTEN)

Tnslsnr 3780 oracle 13u IPv6 44943 0t0 TCP wjq.comsys.com:ncube-lm- > wjq.comsys.com:58605 (ESTABLISHED)

Sshd 27091 root 3u IPv4 1620474 0t0 TCP wjq.comsys.com:ssh- > 10.1.1.123 IPv4 60667 (ESTABLISHED)

-- list the network connection information for all tcp and udp

[root@wjq] # lsof-I udp (tcp)

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Avahi-dae 632 avahi 12u IPv4 16000 0t0 UDP *: mdns

Avahi-dae 632 avahi 13u IPv4 16001 0t0 UDP *: 59037

Dnsmasq 1386 nobody 3U IPv4 21368 0t0 UDP *: bootps

Dnsmasq 1386 nobody 5u IPv4 21375 0t0 UDP wjq.comsys.com:domain

Oracle 1832 oracle 9u IPv6 25267 0t0 UDP localhost:41804

Oracle 1852 oracle 14u IPv6 30917 0t0 UDP *: 56442

Oracle 1860 oracle 14u IPv6 25837 0t0 UDP *: 44721

Oracle 1864 oracle 9u IPv6 25506 0t0 UDP localhost:18001

Oracle 1866 oracle 9u IPv6 25501 0t0 UDP localhost:17685

-- list who is using a port

[root@wjq] # lsof-iRu 3306

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

[root@wjq ~] #

[root@wjq] # lsof-iRU 80

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Httpd 940 root 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1330 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1331 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1332 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1333 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1334 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

-- see who is using a particular udp port

[root@wjq] # lsof-I udp:56442

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Oracle 1852 oracle 14u IPv6 30917 0t0 UDP *: 56442

[root@wjq] # lsof-I tcp:80

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Httpd 940 root 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1330 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1331 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1332 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1333 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

Httpd 1334 apache 4U IPv6 20914 0t0 TCP *: http (LISTEN)

-- check the connection to 10.1.1.46

[root@wjq] # lsof-I @ 10.1.1.46

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Oracle 1832 oracle 12u IPv4 44942 0t0 TCP wjq.comsys.com:58605- > wjq.comsys.com:ncube-lm (ESTABLISHED)

Tnslsnr 3780 oracle 13u IPv6 44943 0t0 TCP wjq.comsys.com:ncube-lm- > wjq.comsys.com:58605 (ESTABLISHED)

Sshd 27091 root 3u IPv4 1620474 0t0 TCP wjq.comsys.com:ssh- > 10.1.1.123 IPv4 60667 (ESTABLISHED)

-- check the file opening with port 58605 of 10.1.1.46

[root@wjq] # lsof-I @ 10.1.1.46 root@wjq 58605

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Oracle 1832 oracle 12u IPv4 44942 0t0 TCP wjq.comsys.com:58605- > wjq.comsys.com:ncube-lm (ESTABLISHED)

Tnslsnr 3780 oracle 13u IPv6 44943 0t0 TCP wjq.comsys.com:ncube-lm- > wjq.comsys.com:58605 (ESTABLISHED)

-- lists all active network ports for a user

[root@wjq] # lsof-a-I-u oracle

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Oracle 1832 oracle 9u IPv6 25267 0t0 UDP localhost:41804

Oracle 1832 oracle 12u IPv4 44942 0t0 TCP wjq.comsys.com:58605- > wjq.comsys.com:ncube-lm (ESTABLISHED)

Oracle 1852 oracle 14u IPv6 30917 0t0 UDP *: 56442

Oracle 1860 oracle 14u IPv6 25837 0t0 UDP *: 44721

Oracle 1864 oracle 9u IPv6 25506 0t0 UDP localhost:18001

Oracle 1864 oracle 10u IPv6 25509 0t0 TCP *: 28327 (LISTEN)

Oracle 1866 oracle 9u IPv6 25501 0t0 UDP localhost:17685

Tnslsnr 3780 oracle 8u IPv6 44829 0t0 TCP *: ncube-lm (LISTEN)

Tnslsnr 3780 oracle 13u IPv6 44943 0t0 TCP wjq.comsys.com:ncube-lm- > wjq.comsys.com:58605 (ESTABLISHED)

Example 9: view the file information opened by a user group

[root@wjq ~] # id

Uid=0 (root) gid=0 (root) groups=0 (root)

[root@wjq ~] #

[root@wjq ~] # lsof-g 0 | head-10

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID PGID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Kthreadd 2 0 root cwd DIR 253,0 4096 64 /

Kthreadd 2 0 root rtd DIR 253,0 4096 64 /

Kthreadd 2 0 root txt unknown / proc/2/exe

Ksoftirqd 3 0 root cwd DIR 253,0 4096 64 /

Ksoftirqd 3 0 root rtd DIR 253,0 4096 64 /

Ksoftirqd 3 0 root txt unknown / proc/3/exe

Migration 7 0 root cwd DIR 253,0 4096 64 /

Migration 7 0 root rtd DIR 253,0 4096 64 /

Migration 7 0 root txt unknown / proc/7/exe

Example 10: show all open files in the COMMAND column that begin with scsi and sh

[root@wjq] # lsof-c scsi-c sh

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Scsi_eh_0 271 root cwd DIR 253,0 4096 64 /

Scsi_eh_0 271 root rtd DIR 253,0 4096 64 /

Scsi_eh_0 271 root txt unknown / proc/271/exe

Scsi_tmf_ 273 root cwd DIR 253,0 4096 64 /

Scsi_tmf_ 273 root rtd DIR 253,0 4096 64 /

Scsi_tmf_ 273 root txt unknown / proc/273/exe

Scsi_eh_1 274 root cwd DIR 253,0 4096 64 /

Scsi_eh_1 274 root rtd DIR 253,0 4096 64 /

Scsi_eh_1 274 root txt unknown / proc/274/exe

Scsi_tmf_ 276 root cwd DIR 253,0 4096 64 /

Scsi_tmf_ 276 root rtd DIR 253,0 4096 64 /

Scsi_tmf_ 276 root txt unknown / proc/276/exe

Scsi_eh_2 290 root cwd DIR 253,0 4096 64 /

Scsi_eh_2 290 root rtd DIR 253,0 4096 64 /

Scsi_eh_2 290 root txt unknown / proc/290/exe

Scsi_tmf_ 291 root cwd DIR 253,0 4096 64 /

Scsi_tmf_ 291 root rtd DIR 253,0 4096 64 /

Scsi_tmf_ 291 root txt unknown / proc/291/exe

Example 11: display every three seconds

[root@wjq] # lsof-iRU 3306-r 3

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

=

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

=

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

=

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

=

[root@wjq] # lsof-iRU 3306 + r 3

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

=

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

=

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

=

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Mysqld 1178 mysql 14u IPv4 20988 0t0 TCP *: mysql (LISTEN)

=

Description:

-r: displays every three seconds until ctrl+c exits

+ r: display every three seconds until there is no data in lsof or ctrl+c exits

Example 12: restore deleted files

When a Linux computer is compromised, it is common for log files to be deleted to cover the attacker's tracks. Administrative errors can also cause important files to be accidentally deleted, such as accidentally deleting the active transaction log of the database while cleaning up the old log. Sometimes these files can be recovered through lsof.

When a process opens a file, it still exists on disk as long as the process keeps the file open, even if it is deleted. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor provided to it when the file is opened. Apart from the process, this file is not visible because its corresponding directory Inode has been deleted.

In the / proc directory, it contains various files that reflect the kernel and process tree. The / proc directory mounts an area mapped in memory, so these files and directories do not exist on disk, so when we read and write to these files, we are actually getting the relevant information from memory. Most of the lsof-related information is stored in a directory named after the process's PID, that is, / proc/1234 contains information about processes with a PID of 1234. There are various files in each process directory that allow applications to simply understand the memory space of the process, a list of file descriptors, symbolic links to files on disk, and other system information. The lsof program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display the process's file descriptor and related file name and other information. That is, we can find information about the file by accessing the process's file descriptor.

When a file in the system is accidentally deleted, as long as there are processes in the system accessing the file, we can restore the contents of the file from the / proc directory through lsof.

If the / var/log/messages file is deleted due to misoperation, the method to restore the / var/log/messages file is as follows:

First, use lsof to see if any processes are currently opening the / var/logmessages file, as follows:

[root@wjq ~] # lsof | grep / var/log/messages

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

Abrt-watc 650 root 4r REG 253,0 53823 48711749 / var/log/messages

Rsyslogd 932 root 3w REG 253,0 53823 48711749 / var/log/messages

In:imjour 932 965 root 3w REG 253,0 53823 48711749 / var/log/messages

Rs:main 932 966 root 3w REG 253,0 53823 48711749 / var/log/messages

From the above information, you can see that PID 932 (syslogd) opens a file with a file descriptor of 3. You can also see that the / var/log/messages tag has been deleted. So we can view the corresponding information in / proc/932/fd/3 (each numeric file under fd represents the corresponding file descriptor for the process), as follows:

[root@wjq fd] # head-n 10 / proc/932/fd/3

Oct 29 03:39:01 wjq rsyslogd: [origin software= "rsyslogd" swVersion= "7.4.7" x murpid = "932" x muri info = "http://www.rsyslog.com"] rsyslogd was HUPed"

Oct 29 03:39:01 wjq logrotate: ALERT exited abnormally with [1]

Oct 29 03:40:01 wjq systemd: Started Session 596 of user root.

Oct 29 03:40:01 wjq systemd: Starting Session 596 of user root.

Oct 29 03:50:01 wjq systemd: Started Session 597 of user root.

Oct 29 03:50:01 wjq systemd: Starting Session 597 of user root.

Oct 29 04:00:01 wjq systemd: Started Session 598 of user root.

Oct 29 04:00:01 wjq systemd: Starting Session 598 of user root.

Oct 29 04:01:01 wjq systemd: Started Session 599 of user root.

Oct 29 04:01:01 wjq systemd: Starting Session 599 of user root.

If you can view the appropriate data through the file descriptor, you can copy it to the file using Icano redirection, such as:

[root@wjq fd] # cat / proc/932/fd/3 > / var/log/messages

[root@wjq fd] # lsof | grep / var/log/messages

Lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run/user/42/gvfs

Output information may be incomplete.

Rsyslogd 932 root 3w REG 253,0 53950 48711749 / var/log/messages

In:imjour 932 965 root 3w REG 253,0 53950 48711749 / var/log/messages

Rs:main 932 966 root 3w REG 253,0 53950 48711749 / var/log/messages

This method of restoring deleted files is useful for many applications, especially log files and databases.

The above is all the contents of the article "how to use lsof commands in Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.