Linux Lsof Detailed

Introduction

Lsof (list open files) is a tool that lists open files for the current system. In a Linux environment, everything is in the form of files, with files that not only access regular data, but also access to network connectivity and hardware. So, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application in the background, regardless of the nature of the file, which provides a common interface for the interaction between the application and the underlying operating system. Because the application opens a descriptor list of files that provides a lot of information about the application itself, it is helpful to see the list through the Lsof tool for system monitoring and troubleshooting.

output message meaning

Enter lsof at the terminal to display the file opened by the system, because lsof needs to access core memory and various files, so it must be run as root to fully perform its functions.

The direct input lsof partial output is:

COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
Init 1 root cwd DIR 8,1 4096 2/
Init 1 root RTD DIR 8,1 4096 2/
Init 1 root txt REG 8,1 150584 654127/sbin/init
UDEVD 415 root 0u CHR 1,3 0t0 6254/dev/null
UDEVD 415 root 1u CHR 1,3 0t0 6254/dev/null
UDEVD 415 Root 2u CHR 1,3 0t0 6254/dev/null
UDEVD 690 Root Mem REG 8,1 51736 302589/lib/x86_64-linux-gnu/libnss_files-2.13. So
SYSLOGD 1246 syslog 2w REG 8,1 10187 245418/var/log/auth.log
SYSLOGD 1246 syslog 3w REG 8,1 10118 245342/var/log/syslog
DD 1271 root 0r REG 0,3 0 4026532038/proc/kmsg
DD 1271 Root 1w FIFO 0,15 0t0 409/run/klogd/kmsg
DD 1271 Root 2u CHR 1,3 0t0 6254/dev/null

Each row displays an open file, and all files opened by all processes are displayed by default if you do not specify a condition.

The meaning of the lsof output column information is as follows:

COMMAND: Name of the process PID: process identifier

USER: Process Owner

FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc. type: file type, such as Dir, Reg, etc.

DEVICE: Specifies the name of the disk

Size: File 0t0 In other words, 0t signifies decimal notation and 0t0 means a file with size 0 in decimal notation   .  translation: In other words ,0T represents the decimal notation and 0t0 means a file with a decimal number of 0 size. Originally from: Http://unix.stackexchange.com/questions/89280/when-looking-at-lsof-output-what-does-0t0-mean

Node: Index node (the identity of the file on disk)

Name: Open the exact name of the file

The file descriptor CWD value in the FD column represents the current working directory of the application, which is the directory that the application launches, unless it makes changes to the directory itself, the TXT type of file is the program code, such as the application binary itself or the shared library, as shown in the list above in the/sbin/init program.

The second value represents the application's file descriptor, which is an integer returned when the file is opened. As on the last line of file/dev/initctl, its file descriptor is 10. U indicates that the file is open and is in read/write mode instead of read-only ® or write-only (w) mode. Also, a capital W indicates that the application has a write lock on the entire file. This file descriptor is used to ensure that only one instance of the application can be opened at a time. When each application is initially opened, it has three file descriptors, from 0 to 2, representing standard input, output, and error streams, respectively. So most applications open files with FD starting from 3.

The Type column is more intuitive than the FD column. Files and directories are called REG and Dir, respectively. The CHR and BLK, respectively, represent characters and block devices, or UNIX, FIFO, and IPV4, respectively, representing the UNIX domain sockets, first in and Out (FIFO) queues, and Internet Protocol (IP) sockets.

Common Parameters

The lsof syntax format is:
lsof [options] FileName

Lsof Abc.txt shows the process of opening the file Abc.txt
LSOF-C ABC show ABC process now open file
LSOF-C-P 1234 lists files opened by processes with process number 1234
Lsof-g GID shows the process of attribution to GID
Lsof +d/usr/local/displays files that were opened by the process in the directory
Lsof +d/usr/local/, but will search the directory under the directory, the time is longer
Lsof-d 4 shows a process using FD 4
Lsof-i to show condition-eligible processes
LSOF-I[46] [protocol][@hostname |hostaddr][:service|port]
  ---IPV4 or IPV6
  Protocol---TCP or UDP
  Hostname-Internet Host name
  HOSTADDR-IPV4 Address
  Service name in service---/etc/service (can be more than one)
  Port-and port number (can be more than one)

Linux Lsof Detailed