Lsof (list open files) is a tool that lists open files for the current system . In a Linux environment, everything is in the form of files, with files that not only access regular data, but also access to network connectivity and hardware. So, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application in the background, regardless of the nature of the file, which provides a common interface for the interaction between the application and the underlying operating system. Because the application opens a descriptor list of files that provides a lot of information about the application itself, it is helpful to see the list through the Lsof tool for system monitoring and troubleshooting.
1. Command format:
lsof [parameters] [file]
2. Command function:
Used to view the files that your process opened, the process of opening the file, the port (TCP, UDP) that the process opened. Retrieve/Recover deleted files. is a very convenient system monitoring tool, because lsof needs to access core memory and various files, so the root user needs to execute.
Lsof open files can be:
1. Common Files
2. Catalogue
3. Files on the network file system
4. character or device file
5. (function) Shared library
6. Piping, Named pipes
7. Symbolic Links
8. Network files (for example: NFS file, network Socket,unix domain name socket)
9. There are other types of files, etc.
3. Command parameters:
-a lists the processes that exist for open files
-c< Process name > List files opened by the specified process
-G list GID process details
-d< File Number > list the process that occupies the file number
+d< directory > List files that are open under directory
+d< directory > recursively list files opened in directory
-n< directory > List files that use NFS
-i< conditions > lists the processes that meet the criteria. (4, 6, protocol,: Port, @ip)
-p< Process number > List files opened by the specified process number
-U list UID number process details
-H Display Help information
-V Display version information
4. Usage examples:
Example 1: No parameters
Command:
Lsof
Output:
[Email protected] ~]# lsof
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Init 1 root cwd DIR 8,2 4096 2/
Init 1 root RTD DIR 8,2 4096 2/
Init 1 root txt REG 8,2 43496 6121706/sbin/init
Init 1 root mem REG 8,2 143600 7823908/lib64/ld-2.5.so
Init 1 root mem REG 8,2 1722304 7823915/lib64/libc-2.5.so
Init 1 root mem REG 8,2 23360 7823919/lib64/libdl-2.5.so
Init 1 root mem REG 8,2 95464 7824116/lib64/libselinux.so.1
Init 1 root mem REG 8,2 247496 7823947/lib64/libsepol.so.1
Init 1 root 10u FIFO 0,17 1233/dev/initctl
Migration 2 root CWD DIR 8,2 4096 2/
Migration 2 root RTD DIR 8,2 4096 2/
Migration 2 Root txt unknown/proc/2/exe
KSOFTIRQD 3 root cwd DIR 8,2 4096 2/
KSOFTIRQD 3 root RTD DIR 8,2 4096 2/
KSOFTIRQD 3 Root txt unknown/proc/3/exe
Migration 4 root CWD DIR 8,2 4096 2/
Migration 4 root RTD DIR 8,2 4096 2/
Migration 4 Root txt unknown/proc/4/exe
KSOFTIRQD 5 root CWD DIR 8,2 4096 2/
KSOFTIRQD 5 root RTD DIR 8,2 4096 2/
KSOFTIRQD 5 Root txt unknown/proc/5/exe
events/0 6 root cwd DIR 8,2 4096 2/
events/0 6 root RTD DIR 8,2 4096 2/
events/0 6 Root txt unknown/proc/6/exe
EVENTS/1 7 root CWD DIR 8,2 4096 2/
Description
The meaning of the lsof output column information is as follows:
COMMAND: Name of the process
PID: Process Identifier
PPID: Parent Process Identifier (the-R parameter needs to be specified)
USER: Process Owner
Pgid: The group to which the process belongs
FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc.
(1) CWD: Represents the current working dirctory, which is the directory in which the application starts, unless it makes changes to the directory itself
(2) TXT: This type of file is a program code, such as the application binary file itself or a shared library, as shown in the list above/sbin/init program
(3) Lnn:library references (AIX);
(4) ER:FD information error (see NAME column);
(5) Jld:jail directory (FreeBSD);
(6) Ltx:shared Library text (code and data);
(7) Mxx:hex memory-mapped type number XX.
(8) M86:dos Merge mapped file;
(9) mem:memory-mapped file;
(ten) mmap:memory-mapped device;
(one) Pd:parent directory;
(rtd:root) directory;
(Tr:kernel) trace file (OpenBSD);
(+) v86 vp/ix mapped file;
(15) 0: Indicates standard output
(16) 1: Indicates standard input
(17) 2: standard error indication
Generally after standard output, standard error, standard input followed by file state mode: R, W, u, etc.
(1) U: Indicates that the file is open and in read/write mode
(2) R: Indicates that the file is open and is in read-only mode
(3) W: Indicates that the file is open and is in
(4) Space: Indicates that the file's status mode is Unknow and is not locked
(5)-: Indicates that the file's state mode is unknow and is locked
At the same time, after the file state mode, followed by the relevant lock
(1) n:for a Solaris NFS lock of unknown type;
(2) R:for read lock on part of the file;
(3) R:for A read lock on the entire file;
(4) W:for a write lock on part of the file;
(5) W:for A write lock on the entire file; (write lock for entire file)
(6) U:for a read and write lock of any length;
(7) U:for a lock of unknown type;
(8) x:for an SCO openserver Xenix lock in part of the file;
(9) x:for an SCO openserver Xenix lock on the entire file;
(space:if) There is no lock.
Type: File types, such as Dir, Reg, etc., common file types
(1) DIR: Indicates directory
(2) CHR: denotes character type
(3) BLK: Block device type
(4) Unix:unix domain sockets
(5) FIFO: Advanced First Out (FIFO) queue
(6) IPv4: Internet Protocol (IP) sockets
DEVICE: Specifies the name of the disk
Size: Sizes of files
Node: Index node (the identity of the file on disk)
Name: Open the exact name of the file
Example 2: See who is using a file, that is, find a file-related process
Command:
Lsof/bin/bash
Output:
[Email protected] ~]# Lsof/bin/bash
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 24159 root txt REG 8,2 801528 5368780/bin/bash
Bash 24909 root txt REG 8,2 801528 5368780/bin/bash
Bash 24941 root txt REG 8,2 801528 5368780/bin/bash
[Email protected] ~]#
Example 3: Recursively view file information for a directory
Command:
Lsof Test/test3
Output:
[Email protected] ~]# cd/opt/soft/
[Email protected] soft]# lsof test/test3
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 24941 root cwd DIR 8,2 4096 2258872 test/test3
VI 24976 root CWD DIR 8,2 4096 2258872 test/test3
[Email protected] soft]#
Description
With +d, all subdirectories and files in the corresponding directory will be listed
Example 4: A way to traverse all the file information of a directory without using the +D option
Command:
Lsof |grep ' Test/test3 '
Output:
[Email protected] soft]# lsof |grep ' Test/test3 '
Bash 24941 root cwd DIR 8,2 4096 2258872/opt/soft/test/test3
VI 24976 root CWD DIR 8,2 4096 2258872/opt/soft/test/test3
VI 24976 Root 4u REG 8,2 12288 2258882/opt/soft/test/test3/.log2013.log.swp
[Email protected] soft]#
Example 5: List file information opened by a user
Command:
Lsof-u username
Description
-U option, U is actually the user's abbreviation
Example 6: List file information opened by a program process
Command:
Lsof-c MySQL
Description
The-C option will list all the files that start with the MySQL process, but you can also write Lsof | grep MySQL, but the first method is obviously a few characters less than the second method.
Example 7: List multiple open file information for more than one process
Command:
Lsof-c mysql-c Apache
Example 8: List A user and the file information opened by a process
Command:
Lsof-u test-c MySQL
Description
Users can be related to processes or irrelevant
Example 9: List open file information except for a user
Command:
Lsof-u ^root
Description
^ This symbol before the user name, will be the root user opened the process does not let the display
Example 10: Displaying a file that is opened by a process number
Command:
Lsof-p 1
Example 11: List file information for multiple process numbers
Command:
Lsof-p
Example 12: List file information opened by other process numbers in addition to a process number
Command:
Lsof-p ^1
Example 13: List all network connections
Command:
Lsof-i
Example 14: List all TCP network connection information
Command:
Lsof-i TCP
Example 15: List all UDP network connection information
Command:
Lsof-i UDP
Example 16: List who is using a port
Command:
Lsof-i: 3306
Example 17: List who is using a specific UDP port
Command:
Lsof-i udp:55
Or: A specific TCP port
Command:
Lsof-i tcp:80
Example 18: List all active network ports for a user
Command:
Lsof-a-U test-i
Example 19: List all network file systems
Command:
Lsof-n
Example 20: Domain name socket file
Command:
Lsof-u
Example 21: File information opened by a user group
Command:
Lsof-g 5555
Example 22: Listing the corresponding file information according to the file description
Command:
Lsof-d description (like 2)
Example: lsof-d txt
Example: lsof-d 1
Example: lsof-d 2
Description
0 means standard input, 1 for standard output, and 2 for standard error, so you know: so most applications open files with FD starting from 3
Example 23: Listing file information according to the scope of the file description
Command:
Lsof-d 2-3
Example 24: List file information that contains the string "sshd" in the command column and the type of the file stroke is txt
Command:
Lsof-c Sshd-a-D txt
Output:
[Email protected] soft]# lsof-c sshd-a-D txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2756 root txt REG 8,2 409488 1027867/usr/sbin/sshd
sshd 24155 root txt REG 8,2 409488 1027867/usr/sbin/sshd
sshd 24905 root txt REG 8,2 409488 1027867/usr/sbin/sshd
sshd 24937 root txt REG 8,2 409488 1027867/usr/sbin/sshd
[Email protected] soft]#
[Email protected] soft]#
Example 25: List all IPV4 network files that are open by processes with process number 1234
Command:
Lsof-i 4-a-P 1234
Example 26: Lists all the file information associated with the current connection host Peida.linux Port as: 20,21,22,25,53,80, and executes the lsof instruction every 3 seconds continuously
Command:
Lsof-i @peida. Linux:20,21,22,25,53,80-r 3
Linux command--51 lsof (GO)