Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use the lsof command for you. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

One: introduction to lsof

Lsof is a very practical system-level monitoring and diagnosis tool under linux.

It means List Open Files, it is easy to remember that it is a combination of "ls + of", it can be used to list file information opened by various processes, remember: "everything is a file" under linux, including but not limited to pipes, sockets, directories, devices, and so on.

Therefore, with lsof, you can get all kinds of information about any open file, just enter lsof to generate a lot of information, because lsof needs to access core memory and a variety of files, so you must run it as a root user in order to give full play to its function.

Adaptation: lsof accesses core files and various files, so it must be run as a root user to make full use of its functionality.

Lsof [option] [file name of absolute path]

Example:

[root@localhost ~] # lsof / usr/sbin/httpd

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Httpd 6279 root txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6281 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6282 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6283 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6284 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6285 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6286 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6287 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6288 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Httpd 6546 apache txt REG 8,2 344112 415135 / usr/sbin/httpd

Each line displays an open file. By default, if nothing is followed, all files opened by the system will be opened.

COMMAND: process name

PID: process identifier

USER: process owner

FD: a file descriptor that the application recognizes to the file by the file descriptor. Such as cwd, txt, etc.

TYPE: file type, such as DIR,REG

DEVICE: specify the disk name

SIZE: file siz

NODE: Inode (identification of files on disk)

NAME: the exact name of the open file

Add: the file description CWD value in the FD column indicates the current working directory of the application, which is the directory where the program starts, unless it makes changes to that directory itself. Txt types are program code, such as the application binaries themselves or shared libraries. The second numeric value represents the file descriptor of the application, which is an integer returned when the file is opened.

The following is an example:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Lsof 6660 root 0u CHR 136,0 0t0 3 / dev/pts/0

Lsof 6660 root 1u CHR 136,0 0t0 3 / dev/pts/0

Lsof 6660 root 2u CHR 136,0 0t0 3 / dev/pts/0

Lsof 6660 root 3r DIR 0,3 0 1 / proc

Lsof 6660 root 4r DIR 0,3 0 36358 / proc/6660/fd

Lsof 6660 root 5w FIFO 0,8 0t0 36363 pipe

Lsof 6660 root 6r FIFO 0,8 0t0 36364 pipe

Lsof 6661 root cwd DIR 8,2 4096 130562 / root

Lsof 6661 root rtd DIR 8,2 4096 2 /

Lsof 6661 root txt REG 8,2 154356 415242 / usr/sbin/lsof

Lsof 6661 root mem REG 8,2 1907156 914957 / lib/libc-2.12.so

Lsof 6661 root mem REG 8,2 17892 914963 / lib/libdl-2.12.so

Lsof 6661 root mem REG 8,2 141080 914950 / lib/ld-2.12.so

Lsof 6661 root mem REG 8,2 120780 915040 / lib/libselinux.so.1

Lsof 6661 root mem REG 8,2 99154448 395123 / usr/lib/locale/locale-archive

Lsof 6661 root 4r FIFO 0,8 0t0 36363 pipe

Lsof 6661 root 7w FIFO 0,8 0t0 36364 pipe

Where u indicates that the file is opened in read / write mode, not read-only or write-only mode; r is read-only; w is write-only; W indicates that the application has a write lock on the entire file (ensure that the application instance can only be opened once at a time)

When you initially open each application, you have three file descriptors, from 0 to 2, representing standard input, output, and error streams, respectively. Therefore, the FD that most applications open starts at 3!

TYPE:REG 、 DIR 、 CHR 、 BLK 、 UNIX 、 FIFO 、 IPV

2. Restore and delete files using lsof

When a file in the system is accidentally deleted, as long as a process in the system is accessing the file, you can restore the contents of the file from the / proc directory through lsof

If the / var/log/messages file is deleted, the method to restore the file:

First use lsof to see if there is a process opening the / var/log/messages file

# lsof | grep / var/log/messages

[root@localhost ~] # rm / var/log/messages

Rm: do you want to delete the normal file "/ var/log/messages"? Y

[root@localhost ~] # lsof | grep / var/log/messages

Rsyslogd 5925 root 1w REG 8 4369 266184 / var/log/messages (deleted)

From the above information, you can see that PID 5925 (syslogd) opened the file with a file descriptor of 1, and found that / var/log/messages has been deleted.

So you can view the file information through the / var/log/messages file descriptor

Cat / pro/5925/fd/1

[root@localhost ~] # cat / proc/5925/fd/1

May 12 08:04:11 localhost kernel: hpet1: lost 3 rtc interrupts

May 12 08:04:11 localhost kernel: hpet1: lost 6 rtc interrupts

May 12 08:04:11 localhost kernel: hpet1: lost 1 rtc interrupts

May 12 09:25:33 localhost kernel: usb 2-2.1: USB disconnect, device number 10

May 12 09:25:33 localhost kernel: eth0: link down

May 12 09:25:33 localhost kernel: usb 2-2.1: new full speed USB device number 11 using uhci_hcd

May 12 09:25:33 localhost kernel: usb 2-2.1: New USB device found, idVendor=0e0f, idProduct=0008

May 12 09:25:33 localhost kernel: usb 2-2.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3

May 12 09:25:33 localhost kernel: usb 2-2.1: Product: Virtual Bluetooth Adapter

May 12 09:25:33 localhost kernel: usb 2-2.1: Manufacturer: VMware

May 12 09:25:33 localhost kernel: usb 2-2.1: SerialNumber: 000650268328

May 12 09:25:33 localhost kernel: usb 2-2.1: configuration # 1 chosen from 1 choice

Finally, the deleted / var/log/messages is restored by redirection.

Cat / pro/5925/fd/1 > / var/log/messages

3. Detailed explanation of lsof command:

3.1 View Command details

Lsof-h

3.2 list all open files

# lsof

Running lsof without any parameters lists all files opened by all processes.

3.3 find out who is using a file

# lsof / path/to/file

Just execute the absolute path of the file, and lsof will list all the processes that use the file, you can also list multiple files, and lsof will list all the processes that use these files.

You can also develop more than one document at a time:

# lsof / path/to/file1 / path/to/file2

3.4 Recursively find all open files in a directory

# lsof + D / usr/lib

Add the + D parameter, and lsof will search the specified directory recursively. Note that this parameter is slower than the grep version:

# lsof | grep'/ usr/lib'

The reason why it is slow is that + D first looks for all the files and then outputs them at once.

3.5 list all files opened by a user

# lsof-u pkrumins

The-u option is limited to listing only all files opened by the user pkrumins. You can specify multiple users by comma:

# lsof-u rms,root

This command lists all files opened by rms and root users.

You can also use more than one-u to do the same thing as follows:

# lsof-u rms-u root

3.6 find all files opened by a program

# lsof-c apache

The-c option restricts the list of files opened by processes that start with apache:

So you don't have to write something like this:

# lsof | grep foo

Instead, use the following shorter version:

# lsof-c foo

In fact, you can only specify the beginning of the process name:

# lsof-c apa

This lists all files opened by processes that start with apa

You can also set multiple-c parameters:

# lsof-c apache-c python

This lists all files opened by apache and python

3.7 list all files opened by a user or process

# lsof-u pkrumins-c apache

You can also combine multiple options, which are performed or associated by default, which means that the above command will enter a file opened by the pkrumins user or the apache process.

3.8 list all files opened by a user and a process

# lsof-a-u pkrumins-c bash

The-a parameter can change the combination condition of multiple options from or to and, and the above command displays all files opened by pkrumins users and bash processes.

3.9 list the files opened by all users except root users

# lsof-u ^ root

Notice the ^ symbol before root, which performs the reverse operation, so lsof lists all files opened by users other than root users.

3.10 list all files opened by a process corresponding to a PID

# lsof-p 1

The-p option allows you to filter the output using the process id.

Remember that you can also separate multiple pid with commas.

# lsof-p 450980333

Lists all files opened by a process except for a pid

# lsof-p ^ 1

Like the previous users, you can also use ^ to reverse the-p option.

3.11 list all network connections

# lsof-I

The-I option of lsof lists all processes with network sockets (TCP and UDP) open.

3.12 list all TCP network connections

# lsof-I tcp

You can also add parameters to the-I option, such as the tcp,tcp option, which forces lsof to list only the processes that open TCP sockets.

3.13 list all UDP network connections

# lsof-I udp

Again, udp asks lsof to list only processes that use UDP socket.

3.14 find a process that uses a port

# lsof-I: 25

The combination of: 25 and-I options allows lsof to list processes that occupy port 25 of TCP or UDP.

You can also use the port name specified in / etc/services instead of the port number, such as:

# lsof-I: smtp

Find a process that uses a UDP port number

# lsof-I udp:53

Similarly, you can find a process that uses a tcp port:

# lsof-I tcp:80

3.15 find all network connections for a user

# lsof-a-u hacker-I

Using-a to combine the-u and-I options allows lsof to list all the network behaviors of a user.

3.16 list all NFS (Network File system) files

# lsof-N

This parameter is easy to remember, and-N corresponds to NFS.

3.17 list all UNIX domain Socket files

# lsof-U

This option is also easy to remember, and-U corresponds to UNIX.

3.18 list all processes corresponding to a group id

# lsof-g 1234

Process groups are used to logically group processes. This example looks for files opened by all processes with a PGID of 1234.

3.19 list all files associated with a descriptor

# lsof-d 2

This command lists all files opened with descriptor 2.

You can also specify a range for the descriptor:

# lsof-d 0-2

This will list all files with a descriptor of 0 ~ 1 ~ 2.

The-d option also supports many other special values, and the following command lists all memory-mapped files:

# lsof-d mem

Txt lists all processes that are loaded in memory and are executing:

# lsof-d txt

3.20 output process pid that uses certain resources

# lsof-t-I

The-t option outputs the PID of the process, which you can combine with the-I option to output the PID of the process using a port. The following command will kill all processes using the network:

# kill-9 'lsof-t-i'

3.21 list files in a loop

# lsof-r 1

The-r option allows lsof to cycle through files until it is interrupted. Parameter 1 means to repeat printing every second. This option is best used in combination with a query with a smaller range, such as to monitor network activity:

# lsof-r 1-u john-I-a

4. How to install lsof?

Many Unix systems have built-in lsof. If your system is not installed, you can download the source code: https://people.freebsd.org/~abe/ directly from here.

The BSD system has a similar tool called fstat that can do the same thing.

You can learn about the complete documentation on lsof through man lsof, or check it out through lsof-h.

This is the end of this article on "how to use lsof commands". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.