Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use the lsof command in the Linux system, the article is very detailed, has a certain reference value, interested friends must read it!

Lsof is a tool for viewing files opened by a process, and everything in the linux system is a file. Files provide access not only to regular data, but also to network connections and hardware. So the lsof command can view not only the files and directories opened by the process, but also socket-related information such as the port on which the process is listening.

Introduction to the lsof command: Lsof is an example of following the philosophy of Unix. It performs only one function and does it perfectly-it can list all the file information opened by a process. Open files may be normal files, directories, NFS files, block files, character files, shared libraries, regular pipes, named pipes, symbolic links, Socket streams, network Socket, UNIX domain Socket, and many more. Because "everything is a file" is one of the important philosophical ideas of the Unix system, you can imagine the importance of the lsof command.

The output information means that the files opened by the system can be displayed by entering lsof under the terminal, because lsof needs to access core memory and various files, so it must be run as a root user in order to give full play to its function.

The direct input lsof part output is:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEinit 1 root cwd DIR 8,1 4096 2 / init 1 root rtd DIR 8,1 4096 2 / init 1 root txt REG 8,1 150584 654127 / Sbin/initudevd 415 root 0u CHR 1,3 0t0 6254 / dev/nulludevd 415 root 1u CHR 1,3 0t0 6254 / dev/nulludevd 415 root 2u CHR 1,3 0t0 6254 / dev/nulludevd 690 root mem REG 8,1 51736 302589 / lib/x86_64-linux-gnu/libnss_files-2.13.sosyslogd 1246 syslog 2w REG 8,1 10187 245418 / var/log/auth.logsyslogd 1246 syslog 3w REG 8,1 10118 245342 / var/log/syslogdd 1271 root 0r REG 0,3 0 4026532038 / proc/kmsgdd 1271 root 1w FIFO 015 0t0 409 / run/klogd/kmsgdd 1271 root 2u CHR 1 Magi 3 0t0 6254 / dev/null each line displays an open file If you do not specify a condition, all files opened by all processes will be displayed by default.

The significance of lsof's output of each column of information is as follows:

COMMAND: name of the process PID: process identifier

USER: process owner

FD: a file descriptor that the application recognizes by the file descriptor. TYPE, such as cwd, txt: file types, such as DIR, REG, etc.

DEVICE: specifies the name of the disk

SIZE: the size of the file

NODE: Inode (identification of files on disk)

NAME: the exact name of the open file

The cwd value of the file descriptor in the FD column indicates the current working directory of the application, which is the directory where the application started, unless it itself makes changes to this directory, and files of type txt are program code, such as the application binaries themselves or shared libraries, such as the / sbin/init program shown in the list above.

The second numeric value represents the application's file descriptor, which is an integer returned when the file is opened. The last line of file / dev/initctl above has a file descriptor of 10. U indicates that the file is open and in read / write mode, not read-only ®or write-only (w) mode. There is also an uppercase W indicating that the application has a write lock on the entire file. This file descriptor is used to ensure that only one instance of the application can be opened at a time. When you initially open each application, you have three file descriptors, from 0 to 2, representing standard input, output, and error streams, respectively. So the FD of files opened by most applications starts at 3.

Compared with FD columns, Type columns are more intuitive. Files and directories are called REG and DIR, respectively. CHR and BLK, respectively, represent character and block devices, or UNIX, FIFO, and IPv4 represent UNIX domain sockets, first-in, first-out (FIFO) queues, and Internet Protocol (IP) sockets, respectively.

The common parameter lsof syntax format is: lsof [options] filename

Lsof abc.txt displays the process that opens the file abc.txt lsof-c abc shows the file now opened by the abc process lsof-c-p 1234 lists the file opened by the process number 1234 lsof-g gid shows the process that belongs to gid lsof + d / usr/local/ shows the file lsof + D / usr/local/ opened by the process in the directory is the same as above, but will search the directory in the directory Longer lsof-d 4 display using process lsof-I with fd 4 to display eligible processes lsof-I [46] [protocol] [@ hostname | hostaddr] [: service | port] 46-> IPv4 or IPv6 protocol-- > TCP or UDP hostname-- > Internet hostname hostaddr-- > IPv4 address service-- > service name (can be more than one) port-> port number (can be more than one) in / etc/service Lsof uses an instance to find out who is using the file system

When a Linux computer is compromised, it is common for log files to be deleted to cover the attacker's tracks. Administrative errors can also cause important files to be accidentally deleted, such as accidentally deleting the active transaction log of the database while cleaning up the old log. Sometimes these files can be recovered through lsof.

When a process opens a file, it still exists on disk as long as the process keeps the file open, even if it is deleted. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor provided to it when the file is opened. Apart from the process, this file is not visible because its corresponding directory Inode has been deleted.

In the / proc directory, it contains various files that reflect the kernel and process tree. The / proc directory mounts an area mapped in memory, so these files and directories do not exist on disk, so when we read and write to these files, we are actually getting the relevant information from memory. Most of the lsof-related information is stored in a directory named after the process's PID, that is, / proc/1234 contains information about processes with a PID of 1234. There are various files in each process directory that allow applications to simply understand the memory space of the process, a list of file descriptors, symbolic links to files on disk, and other system information. The lsof program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display the process's file descriptor and related file name and other information. That is, we can find information about the file by accessing the process's file descriptor.

When a file in the system is accidentally deleted, as long as there are processes in the system accessing the file, we can restore the contents of the file from the / proc directory through lsof. If the / var/log/messages file is deleted due to misoperation, the method to restore the / var/log/messages file is as follows:

First, use lsof to see if any processes are currently opening the / var/logmessages file, as follows:

# lsof | grep / var/log/messages

Syslogd 1283 root 2w REG 3 5381017 1773647 / var/log/messages (deleted)

From the above information, you can see that PID 1283 (syslogd) opens a file with a file descriptor of 2. You can also see that the / var/log/messages tag has been deleted. So we can view the corresponding information in / proc/1283/fd/2 (each numeric file under fd represents the corresponding file descriptor for the process), as follows:

# head-n 10 / proc/1283/fd/2

Aug 4 13:50:15 holmes86 syslogd 1.4.1: restart.

Aug 4 13:50:15 holmes86 kernel: klogd 1.4.1, log source = / proc/kmsg started.

Aug 4 13:50:15 holmes86 kernel: Linux version 2.6.22.1-8 (root@everestbuilder.linux-ren.org) (gcc version 4.2.0) # 1 SMP Wed Jul 18 11:18:32 EDT 2007 Aug 4 13:50:15 holmes86 kernel: BIOS-provided physical RAM map: Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000000000-000000000009f000 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000000009f000-00000000000a0000 (reserved) Aug 4 13:50:15 Holmes86 kernel: BIOS-e820: 00000000100000-000000001f7d3800 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000001f7d3800-00000020000000 (reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000e0000000-00000000f0007000 (reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000f0008000-00000000f000c000 (reserved)

As you can see from the above information, you can get the data you want to recover by looking at / proc/8663/fd/15. If you can view the appropriate data through the file descriptor, you can copy it to the file using Icano redirection, such as:

Cat / proc/1283/fd/2 > / var/log/messages

This method of restoring deleted files is useful for many applications, especially log files and databases.

Practical command

Lsof `which httpd` / / that process is using apache's executable file lsof / etc/passwd / / that process is occupying / etc/passwd lsof / dev/hda6 / / that process is occupying hda6 lsof / dev/cdrom / / that process is occupying the optical drive lsof-c sendmail / / check the file usage of the sendmail process lsof-c courier-u ^ zahn / / shows that those files are opened by processes that start with courier But it does not belong to the user zahn lsof-p 30297 / / shows those files opened by the process with pid 30297 lsof-D / tmp shows all the instance and files opened in the / tmp folder. But the symbol file is not in the column lsof-u1000 / / check the file usage of the process of the user whose uid is 100. lsof-utony / / check the file usage of the process of the user tony / / check the file usage of the process that is not the user tony / / check the file usage of the process that is not the user tony (^ means reverse) lsof-I / / display all open ports lsof-iRover 80 / / show all processes opening port 80 lsof-I -U / / shows all open ports and UNIX domain file lsof-I UDP@ [url] www.akadia.com:123 / / shows that those processes have opened links to port 123 (ntp) of www.akadia.com 's UDP lsof-I tcp@o.ks.edu.tw:ftp-r / / keep looking at current ftp connections (- r Lsof will be executed forever until the interrupt signal is received, and + lsof LSof will be executed until no files are displayed, default is 15s refresh) lsof-I tcp@o.ks.edu.tw:ftp-n / / lsof-n does not convert IP to hostname, the default is not to add the-n parameter above is all the content of this article "how to use lsof commands in Linux system", thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.