Linux Command Tutorial: lsof entry
Lsof is an Uber tool for system management/security. Most of the time I use it to obtain network connection-related information from the system, it is only the first step of this powerful and little-known application. This tool is called lsof because it refers to "lists openfiles )". Remember that in Unix, everything (including Network Interface) is a file.
Interestingly, lsof is also one of the most frequently-switched Linux/Unix commands. It has so many switches and many options support the use of-and + prefixes.
- Usage :[-? AbhlnNoOPRstUvV] [+ |-c] [+ |-d s] [+ D] [+ |-f [cgG]
- [-F [f] [-g [s] [-I [I] [+ |-L [l] [+ |-M] [-o [o]
- [-P s] [+ |-r [t] [-S [t] [-T [t] [-u s] [+ |-w] [-x [fl] [--] [names]
As you can see, lsof has a surprising number of options. You can use it to obtain information about devices on your system. You can use it to understand what a specified user is hitting at a specified location, or even what file or network connection a process is using.
For me, lsof replaces all the work of netstat and ps. It can bring everything that those tools can bring, and much more than those tools. Let's take a look at some of its basic capabilities:
Key options
It is important to understand some key things about how lsof works. The most important thing is that when you pass an option to it, the default action is to perform "or" operations on the result. Therefore, if you use-I to pull a port list and-p to pull a process list, you will get the results of both by default.
The following things should be kept in mind:
- Default: no option. lsof lists all open files of active processes.
- Combination: options can be combined, such as-abc, but be careful which options require parameters
- -A: Calculate the result by "and" instead of "or ")
- -L: displays the user ID instead of the user name in the output.
- -H: get help
- -T: only obtain the process ID
- -U: Obtain the UNIX interface address.
- -F: format the output result for other commands. You can format it in multiple ways, such as-F pcfn (used for process id, command name, file descriptor, file name, and termination with null)
Obtain Network Information
As I said, I mainly use lsof to obtain information about how the system interacts with the network. Some topics about this information are provided here:
Use-I to display all connections
Some people like to use netstat to obtain network connections, but I prefer lsof to do this. The results are displayed in an intuitive way for me. I only need to change my syntax to get more information through the same command.
- # Lsof-I
-
- COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
- Dhcpcd 6061 root 4u000044510 UDP *: bootpc
- Sshd 7703 root 3u000066499 TCP *: ssh (LISTEN)
- Sshd 7892 root 3u000066757 TCP 10.10.1.5: ssh-> 192.168.1.5: 49901 (ESTABLISHED)
Use-I 6 to retrieve only IPv6 traffic
- # Lsof-I 6
Only display TCP connections (similarly, UDP connections can be obtained)
You can also provide the corresponding protocol after-I to only display TCP or UDP connection information.
- # Lsof-iTCP
-
- COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
- Sshd 7703 root 3u000066499 TCP *: ssh (LISTEN)
- Sshd 7892 root 3u000066757 TCP 10.10.1.5: ssh-> 192.168.1.5: 49901 (ESTABLISHED)
Use-I: port to display network information related to the specified port
Alternatively, you can search by port, which is great for finding out what prevents another application from binding to the specified port.
- # Lsof-I: 22
-
- COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
- Sshd 7703 root 3u000066499 TCP *: ssh (LISTEN)
- Sshd 7892 root 3u000066757 TCP 10.10.1.5: ssh-> 192.168.1.5: 49901 (ESTABLISHED)
Use @ host to display the connection to the specified host
This is useful when you check whether a connection to a specified host on the network or on the Internet is enabled.
- # Lsof-I @172.16.12.5
-
- Sshd 7892 root 3u000066757 TCP 10.10.1.5: ssh-> 172.16.12.5: 49901 (ESTABLISHED)
Use @ host: port to display host-based connection to port
You can also combine the host and port display information.
- # Lsof-I @172.16.12.5: 22
-
- Sshd 7892 root 3u000066757 TCP 10.10.1.5: ssh-> 172.16.12.5: 49901 (ESTABLISHED)
Find the listening port
Find the port waiting for connection.
- # Lsof-I-sTCP: LISTEN
You can also use grep "LISTEN" to complete the task.
- # Lsof-I | grep-I LISTEN
-
- ITunes 400 daniel 16u000040x45752280t0 TCP *: daap (LISTEN)
Locate the established connection
You can also display any connected connections.
- # Lsof-I-sTCP: ESTABLISHED
You can also search "ESTABLISHED" Through grep to complete the task.
- # Lsof-I | grep-I ESTABLISHED
-
- Firefox-B 169 daniel 49u000040t0 TCP 1.2.3.3: 1863-> 1.2.3.4: http (ESTABLISHED)
For more details, please continue to read the highlights on the next page: