Linux system monitoring and diagnostic tools-lsof usage Overview 1. lsof introduction lsof is a very practical system-level monitoring and diagnostic tool in linux. It means List Open Files. It is easy to remember that it is a combination of "ls + ~
It can be used to list the File Information opened by various processes. Remember: "Everything is a file" in linux, including but not limited to pipes, sockets, directories, devices, and so on. Therefore, you can use lsof to obtain information about any opened files. You only need to input lsof to generate a large amount of information. Because lsof needs to access the core memory and various files, it must be run as a root user to make full use of its functions. Lsof sample output: 1root @ YLinux :~ /Lab 0 # lsof2COMMAND pid tid user fd type device size/off node name31_emd 1 root cwd DIR 8, 6 4096 2/4 1_emd 1 root rtd DIR 8, 6 4096 2/5 1_emd 1 root txt REG 8, 6 2273340 1834909/ usr/lib/systemd/systemd61_emd 1 root mem REG 210473 1700647/lib/libnss_files-2.15.s7... 2. Common lsof usage 2.1 monitoring open files, DEVICE viewing files, and processes occupied by devices 1 # lsof/dev/tty12COMMAND pid user fd type device size/off node NAME3bash 1770 ji An 0u CHR 4,1 0t0 1045/dev/tty14bash 1770 jian 1u CHR 4,1 0t0 1045/dev/tty15bash 1770 jian 2u CHR 4,1 0t0 1045/dev/tty16bash 1770 jian 255u CHR 4,1 0t0 1045/ dev/tty17startx 1845 jian 0u CHR 1045, 1 0t0 1845/dev/tty18startx 1045 jian 1u CHR, 1 0t0/dev/tty19... 2.2 When a directory or mount point is specified in the file system, you can see which processes have opened the files: 1 # lsof/data/2 command pid user fd type device size/off node NAME3bash 15983 jian cwd DIR 4096 8252/data/backup4... this is useful when a file system in umount fails (this FS is usually reported as busy ). List the files opened under a directory (such as/home: 1 # lsof + D/var/log/2 3 command pid user fd type device size/off node NAME4rsyslogd 488 syslog 1 w REG 1151 268940 488/var/log/syslog5rsyslogd syslog 2 w REG 2405 269616/var/log/auth. log6console-k 144 root 9 w REG 10871 269369/var/log/ConsoleKit/history list files opened by the specified process name: 01 # lsof-c ssh-c init02 03 command pid user fd type device size/off node NAME04init 1 roo T txt REG 8, 1 124704/sbin/init05init 1 root mem REG 8, 1 917562/lib/i386-linux-gnu/libc-2.13.so06init 1 root mem REG 8, 1 1434180 1442625/lib/i386-linux-gnu/librt-2.13.so07... 08ssh-agent 1528 lakshmanan 1u CHR 4369 0t0 1528/dev/null09ssh-agent 4369 lakshmanan 2u CHR 1, 3 0t0 1528/dev/null10ssh-agent 10464 lakshmanan 3u unix 0xdf70e240 0t0/tmp/ssh-sUymKXxw1495/agent.14952.3 To view the files opened by the process: 01 # lsof-p 206402 command pid user fd type device size/off node NAME03firefox 2064 jian cwd DIR 8, 6 4096 1571780/home/jian04firefox 2064 jian rtd DIR 8, 6 4096 2/05 firefox 2064 jian txt REG 44224 1985670/usr/lib/firefox-12.0/firefox06firefox 2064 jian mem REG 14707012 925361/usr/share/fonts/chinese/msyhbd. ttf07firefox 2064 jian mem REG 15067744 925362/usr/shar E/fonts/chinese/msyh. ttf08firefox 2064 jian mem REG 16791251 1701681/usr/share/fonts/wenquanyi/wqy-zenhei.ttc09firefox 2064 jian mem REG 67108904 10203/dev/shm/pulse-shm-302185016710... when you want to kill all files and devices opened by a user, you can: 1 kill-9 'lsof-t-u lakshmanan 'Here-t is used to list the process id column separately. 2.4 Monitoring Network view which processes are in use on the specified port (lsof-I lists all open network connections): 1 # lsof-I: 222 command pid user fd type device size/off node NAME3sshd 1569 root 3u IPv4 10303 0t0 TCP *: ssh (LISTEN) 4 sshd 1569 root 4u IPv6 10305 0t0 TCP *: ssh (LISTEN) 5... list all network files opened by a process: 1 lsof-I-a-p 234 or 1 lsof-I-a-c ssh to list all tcp and udp connections: 1 lsof-I tcp; 2 lsof-I udp; list all NFS files: 1 lsof-N-u lakshmanan-a to see which processes are in use on a specified network port: 1 # lsof-I @192.168.1.912COMMA Nd pid user fd type device size/off node NAME3skype 1909 jian 54u IPv4 9116 0t0 TCP 192.168.1.91: 40640-> 64.4.23.153: 40047 (ESTABLISHED) 4 pidgin 1973 jian 7u IPv4 6599 0t0 TCP 192.168.1.91: 59311-> hx-in-f125.1e100.net: https (ESTABLISHED) 5 pidgin 1973 jian 13u IPv4 9260 0t0 TCP 192.168.1.91: 54447-> by2msg3010511. phx. gbl: msnp (ESTABLISHED) 6... 3. More tips 3.1. Monitor and use the volume command to view the files opened by the specified volume (lsof-u ^ lakshmanan can exclude a user): 1 # Lsof-u messagebus2COMMAND pid user fd type device size/off node NAME3dbus-daem 1805 messagebus cwd DIR 8, 6 4096 2/4dbus-daem 1805 messagebus rtd DIR 8, 6 4096 2/5dbus-daem 1805 messagebus txt REG 1235361 1834948/ usr/bin/dbus-daemon6dbus-daem 1805 messagebus mem REG 210473 1700647/lib/libnss_files-2.15.so7dbus-daem 1805 messagebus mem REG 190145 1700642/lib/libnss_nis-2.15.so8dbus -Daem 1805 messagebus mem REG 490366 1700636/lib/libnsl-2.15.so9... 3.2 monitoring applications view files opened by a specified program: 1 # lsof-c firefox2COMMAND pid user fd type device size/off node NAME3firefox 2064 jian cwd DIR 4096 1571780 2064/home/jian4firefox 4096 jian rtd DIR 2/5 2064 firefox jian txt REG 6 44224 1985670/usr/lib/firefox-12.0/firefox6firefox 2064 jian mem REG 14707012 925361/usr/share/fonts/chin Ese/msyhbd. ttf7firefox 2064 jian mem REG 15067744 925362/usr/share/fonts/chinese/msyh. ttf8firefox 2064 jian mem REG 16791251 1701681/usr/share/fonts/wenquanyi/wqy-zenhei.ttc9... 4. Command mode tip 4.1 The logical query conditions of a combination are met only by multiple query conditions. The default value is-o when the "-a" parameter is used. 1 # lsof-a-c bash-u root2COMMAND pid user fd type device size/off node NAME3bash 1986 root cwd DIR 4096 1701593 1986/root/lab4bash 4096 root rtd DIR 2/5 bash 1986 root txt REG 1994157 1700632/bin/bash6bash 1986 root mem REG 9690800 405214/usr/lib/locale/locale-archive7bash 1986 root mem REG 210473 1700647/lib/libnss_files-2.15.so4.2 lsof command repeated execution mode: number of seconds for repeated execution of lsof + based on the given parameter Delay R indicates that when no file is opened, the repeat mode ends automatically. -R indicates that the file will be executed no matter whether it exists or is opened until you interrupt it. The output of each loop uses '=' as the separator. You can also use '-R' |' + R' to specify the delay time. 01 # lsof-u lakshmanan-c init-a-r502 03 =======04 ====== 05 command pid user fd type device size/OFF NODE NAME06inita. sh 2971 lakshmanan cwd DIR 4096 393218/home/lakshmanan07inita. sh 2971 lakshmanan rtd DIR 8, 1 4096 2/08inita. sh 2971 lakshmanan txt REG 83848 524315/bin/dash09inita. sh 2971 lakshmanan mem REG 1434180 1442625/lib/i386-linux-gnu/libc-2.13.so10inita.sh 2971 lakshmanan m Em REG 117960 1442612/lib/i386-linux-gnu/ld-2.13.so11inita.sh 2971 lakshmanan 0u CHR 136,4 0t0 7/dev/pts/412inita. sh 2971 lakshmanan 1u CHR 136,4 0t0 7/dev/pts/413inita. sh 2971 lakshmanan 2u CHR 136,4 0t0 7/dev/pts/414inita. sh 2971 lakshmanan 10r REG 393578/home/lakshmanan/inita. sh15 ======= the above output is no output in the first 5 seconds, and then "inita. sh. 5. The last tip is about the inconsistency between df-h -- max = 1 and du-hx -- max = 1. The most common one is the following: lsof | grep-I delete look at the deleted files: some deleted files, but the process does not reload, the space is still occupied, you can understand the concept that the Process Handle in windows is not released ~ But in windows, if a file is used by a process, You can't delete it. Although linux does not delete the file, it will not be completely released until the process has used the file, to prevent the process from crashing, this is the difference in the operating system's resource management ~ For example, nginx occupies a lot of temporary files in the/tmp directory. After deletion, it still occupies space. You can: pkill-9 nginx &/etc/init. d/nginx restart