Usage of LSOF commands in Linux

Lsof is a model of following UNIX philosophy, it does only one thing, and does it perfectly. To list all the file information that a process opens. Open files may be plain files, directories, NFS files, block files, character files, shared libraries, regular pipes, symbolic links, socket streams, network Socket,unix domain sockets, and more.

In a UNIX environment, where files are everywhere, there is a maxim: "Everything is a file." Not only do you have access to regular data through files, you typically also have access to network connections and hardware. In some cases, the corresponding entry appears when you request a catalog manifest using LS. In other cases, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, there is no corresponding directory manifest. However, in the background, a file descriptor is assigned to the application, regardless of the nature of the file, which provides a common interface for interaction between the application and the underlying operating system.

It is helpful to be able to view this list because the application opens a list of descriptors that provide a lot of information about the application itself. The utility that completes this task is called the lsof, which corresponds to "List open files" (listing the open file). This utility is available in almost every UNIX version, but it is strange that most vendors do not include it in the initial installation of the operating system. For more information on lsof, see the Resources section.

Common parameter Explanation:

lsof filename Displays all processes that open the specified file

Lsof-a indicates that the results are displayed when all two parameters must be met

Lsof-c string Displays all open files for the process containing the specified characters in the command column

Lsof-u username displays files that are open by the owning user process, comma-delimited specifying multiple users

Lsof-g GID shows the process status of the attribution GID

Lsof +d/dir/displays files that are opened by the process in the directory

Lsof +d/dir/Ibid, but will search all directories under the directory, the time is relatively long

Lsof-d FD Displays the process of specifying a file descriptor

Lsof-n does not convert IP to hostname, the default is not to add-n parameter

Lsof-l, Function: Lists the number of connections to open files

Lsof-i is used to show the conditions of a qualifying process

lsof-i[46][protocol][@hostname |hostaddr][:service|port]

46–> IPv4 or IPv6

Protocol–> TCP or UDP

Hostname–> Internet Host Name

Hostaddr–> IPV4 Address

ServiceName in Service–>/etc/service (can be more than one)

Port–> port number (can be more than one)

Lsof is known as the Unix/linux debugging Swiss Army Knife, the general root user can execute the lsof command, the ordinary user may see the/usr/sbin/lsof command, but the ordinary user holds

The line displays "Permission Denied", with the following specific usage:

Lsof Abc.txt shows the process of opening file Abc.txt

Lsof-i: 22 Know what program 22 port is running now

LSOF-C ABC shows the files that the ABC process now opens

Lsof-g GID shows the process status of the attribution GID

Lsof +d/usr/local/displays files that are opened by the process in the directory

Lsof +d/usr/local/Ibid, but will search directories under the directory, longer

Lsof-d 4 shows the process using FD 4

Lsof-i is used to show the conditions of a qualifying process

List all network connections

# lsof-i

The-i option of lsof can list all processes that have network sockets open (TCP and UDP).

List all TCP network connections

# lsof-i TCP

You can also add parameters to the-I option, such as the TCP,TCP option to force lsof to only list open TCP
The process of sockets.

List all UDP network connections

# lsof-i UDP

Similarly, UDP lets lsof only list processes that use UDP sockets.
Syntax: lsof-i[46] [protocol][@hostname |hostaddr][:service|port]

--> IPv4 or IPv6

Protocol--> TCP or UDP

Hostname--> Internet Host name

Hostaddr--> IPv4 Position

Service name in service-->/etc/service (can be more than one)

Port--> Port number (can be more than one)

Example: Tcp:25-tcp and port 25

@1.2.3.4-internet IPV4 Host Address 1.2.3.4

TCP@OHAHA.KS.EDU.TW:FTP-TCP Protocol hosthaha.ks.edu.tw Service Name:ftp

Lsof-n does not convert IP to hostname, the default is not to add-n parameter

Example: Lsof-i tcp@ohaha.ks.edu.tw:ftp-n

Lsof-p 12 See which files are open for process number 12

Lsof +|-r [T] control lsof repeated execution, default is 15s refresh

-r,lsof will always execute until the interrupt signal is received.

+r,lsof will always execute until no file is shown

Example: Keep looking at the current FTP connection: Lsof-i tcp@ohaha.ks.edu.tw:ftp-r

LSOF-S lists the size of the open file, leaving a blank if there is no size

Lsof-u username with uid, listing open files # lsof-u UCSP

The-u option restricts the listing of all files opened by the user UCSP, and you can specify multiple users by commas:

# Lsof-u Sms,root (This article can also use lsof-u sms-u root)

This command lists all the files that are opened by SMS and root users.

Find all network connections for a user

# lsof-a-U hacker-i

Use-A combines the-U and-I options to let lsof list all network behavior for a user.

List all NFS (network file system) files

# Lsof-n

This parameter is well remembered, and-N corresponds to NFS.

List all UNIX domain sockets files

# Lsof-u

This option is also easy to remember, and-U corresponds to UNIX.

List all processes corresponding to a group ID

# LSOF-G 1234
An important application of lsof in practical operation:
View files that have been deleted but are still occupied by a process. (There is a problem with space not being released in this situation)
You can use the command when your disk space is full and you find that the file space is not up to the disk limit
lsof |grep deleted command to view files that have been deleted but have not yet been released, as shown in the following figure: Lsof

There are two ways to solve the problem when the situation is found.

First, view the process that occupies the file, kill the process, the file is released, the space is released.

Second, but encounter zombie process, kill or kill-9 command is unable to end the process, only restart the server, kill the process, the space itself released.

So, usually when we delete files, we can use the empty command without deleting, try to use the empty command. such as: echo "" >a.out, so that the contents of the A.out file is emptied.