Introduction
Lsof (list open files) is a tool used to list open files in the current system. In Linux, everything exists in the form of a file. Through a file, you can not only access common data, but also access network connections and hardware. Therefore, for example, the transmission control protocol (TCP) and User Datagram Protocol (UDP) sockets, the system will applyProgramA file descriptor is assigned, regardless of the nature of the file, which provides a common interface for the interaction between the application and the basic operating system. Because the descriptor list of an Application Opening file provides a large amount of information about the application itself, it is very helpful for system monitoring and troubleshooting to view this list using the lsof tool.
Output Information meaning
Enter lsof in the terminal to display the files opened by the system. Because lsof needs to access the core memory and various files, it must be run as the root user to make full use of its functions.
Directly input the lsof part of the output:
Command PID user FD type device size/off node name
Init 1 Root CWD dir 8 , 1 4096 2 /
Init 1 Root RTD dir 8 , 1 4096 2 /
Init 1 Root TXT Reg 8 , 1 150584 654127 /Sbin/init
Udevd415 Root 0u CHR 1 , 3 0t0 6254 /Dev/ Null
Udevd 415 Root 1u CHR 1 , 3 0t0 6254 /Dev/ Null
Udevd 415 Root 2u CHR 1 , 3 0t0 6254 /Dev/ Null
Udevd 690 Root mem Reg 8 , 1 51736 302589 // Lib/x86_64-linux-gnu/libnss_files- 2.13 . So
Syslogd 1246 Syslog 2 W Reg 8 , 1 10187 245418 / VaR /Log/auth. Log
Syslogd 1246 Syslog 3 W Reg 8 , 1 10118 245342 / VaR /Log/syslog
Dd 1271 Root 0r Reg 0 , 3 0 4026532038 /Proc/kmsg
Dd 1271 Root 1 W FIFO 0 , 15 0t0 409 /Run/klogd/kmsg
Dd 1271 Root 2u CHR 1 , 3 0t0 6254 /Dev/ Null
Each line shows an opened file. If no conditions are specified, all files opened by all processes are displayed by default.
The significance of lsof output column information is as follows:
Command: process name PID: process identifier
User: process owner
FD: file descriptor. The application identifies the file through the file descriptor. Types such as CWD and TXT: file type, such as Dir and Reg
Device: Specify the disk name.
Size: File Size
Node: Index node (the identifier of the file on the disk)
Name: the exact name of the opened file.
The file descriptor CWD value in the FD column indicates the current working directory of the application, which is the directory started by the application. Unless it changes the directory itself, the TXT file is a programCode, Such as the application binary file itself or shared library, as shown in the/sbin/INIT program shown in the above list.
The second value indicates the file descriptor of the application, which is an integer returned when the file is opened. The last line of the above file/dev/initctl, whose file descriptor is 10. U indicates that the file is opened and in read/write mode, instead of read-only or write-only (w) mode. In addition, W indicates that the application has a write lock on the entire file. This file descriptor is used to ensure that only one application instance can be opened at a time. Each initial application has three file descriptors, ranging from 0 to 2, indicating standard input, output, and error streams. Therefore, the FD of files opened by most applications starts from 3.
The type column is more intuitive than the FD column. The files and directories are called Reg and Dir respectively. CHR and BLK, respectively, indicate characters and Block devices; or UNIX, FIFO, and IPv4, respectively indicate Unix domain sockets, first-in-first-out (FIFO) queues, and Internet Protocol (IP) sockets.
Common Parameters
The syntax format of lsof is:
Lsof [Options] filename
Lsof abc.txt displays the process of opening the abc.txt File
Lsof-c abc displays the files currently opened by the ABC process
Lsof-C-P1234List the files opened by processes whose process number is 1234
Lsof-g gid: displays the processes that belong to the GID.
Lsof + D/usr/local/display files opened by processes in the directory
Lsof + D/usr/local /.
Lsof-d4Display processes with FD 4
Lsof-I is used to display qualified Processes
Lsof-I [46] [Protocol] [@ hostname | hostaddr] [: Service | Port]
46--> IPv4 or IPv6
Protocol --> TCP or UDP
Hostname --> Internet host name
Hostaddr --> IPv4 address
Service --> service name in/etc/service (more than one can be entered)
Port --> port number (more than one)
Lsof instance
Find out who is using the file system
When detaching a file system, if the file system contains any open files, the operation usually fails. Then, you can use lsof to find out which processes are currently using the file system to be detached, as shown below:
# Lsof/gtes11/
Command PID user FD type device size node name
Bash 4208 root CWD dir 3, 1 4096 2/gtes11/
Vim 4230 root CWD dir 3, 1 4096 2/gtes11/
In this example, the user root is performing some operations in its/gtes11 directory. A Bash instance is running, and its current directory is/gtes11, And the other shows the files that Vim is editing under/gtes11. To successfully uninstall/gtes11, you should stop these processes after notifying the user to ensure normal conditions. This example shows that the current working directory of the application is very important because it still maintains file resources and can prevent the file system from being detached. This is why most daemon (background processes) change their directories to the root directory or service-specific directories (such as/var/spool/mqueue in the sendmail example, to prevent this daemon from blocking unmounting unrelated file systems.
Restore deleted files
When a Linux computer is intruded, it is common to delete log files to mask attackers. Management errors may also lead to accidental deletion of important files. For example, when clearing old logs, the active transaction logs of the database are accidentally deleted. Sometimes you can use lsof to restore these files.
When a process opens a file, as long as the process keeps opening the file, even if it is deleted, it still exists in the disk. This means that the process does not know that the file has been deleted, and it can still read and write the file descriptor provided to it when the file is opened. In addition to this process, this file is invisible because the corresponding Directory Index node has been deleted.
The/proc directory contains various files that reflect the kernel and process tree. The/proc directory is mounted to a region mapped in the memory. Therefore, these files and directories are not stored in the disk. Therefore, when we read and write these files, in fact, it is getting the relevant information from the memory. Most lsof-related information is stored in the directory named after the PID of the process, that is, the/proc/1234 contains information about the process whose PID is 1234. Each process directory contains various files, which allow applications to easily understand the memory space, file descriptor list, symbolic links to files on the disk, and other system information of the process. The lsof program uses this information and other information about the internal status of the kernel to generate its output. Therefore, lsof can display the file descriptor of a process and related file names. That is, we can find information about the file by accessing the file descriptor of the process.
When a file in the system is accidentally deleted, as long as there are other processes in the system accessing the file, we can use lsof to restore the file content from the/proc directory. If the/var/log/messages file is deleted due to misoperations, the methods for restoring the/var/log/messages file are as follows:
First, use lsof to check whether a process opens the/var/logmessages file, as shown below:
# Lsof | grep/var/log/messages
Syslogd 1283 Root 2 W Reg 5381017 1773647/var/log/messages (Deleted)
From the above information, we can see that the file descriptor of the PID 1283 (syslogd) open file is 2. You can also see that/var/log/messages has been marked as deleted. Therefore, we can view the corresponding information in/proc/1283/FD/2 (each file named by number under FD represents the file descriptor corresponding to the process), as follows:
# Head-N 10/proc/1283/FD/2
Aug 4 13:50:15 holmes86 syslogd 1.4.1: restart.
Aug 4 13:50:15 holmes86 kernel: klogd 1.4.1, log source =/proc/kmsg started.
Aug 4 13:50:15 holmes86 kernel: Linux version 2.6.22.1-8 (root@everestbuilder.linux-ren.org) (GCC version 4.2.0) #1 SMP Wed Jul 18 11:18:32 EDT 2007 Aug 4 13:50:15 holmes86 kernel: BIOS-provided physical Ram map: Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000000000-000000000009f000 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000000009f000-00000000000a0000 (Reserved) aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000100000-000000001f7d3800 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000001f7d3800-0000000020000000 (Reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 201710000e0000000-00000000f0007000 (Reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000f0008000-00000000f000c000 (Reserved)
From the above information, you can view/proc/8663/FD/15 to obtain the data to be restored. If you can view the corresponding data through the file descriptor, you can use I/O redirection to copy it to the file, such:
CAT/proc/1283/FD/2>/var/log/messages
For many applications, especially log files and databases, this method is very useful for restoring and deleting files.
Practical commands
Lsof 'which httpd' // The process is using the Apache Executable File
Lsof/etc/passwd // The process is occupying/etc/passwd.
Lsof/dev/hda6 // The process is occupying hda6.
Lsof/dev/CDROM// The process is occupying the optical drive
Lsof-C sendmail // View the File Usage of the Sendmail process
Lsof-C courier-u ^ Zahn // It shows that the files are opened by the process headers with courier, but not belong to user Zahn.
Lsof-P 30297 // Displays the files opened by processes whose PID is 30297.
Lsof-D/tmp displays all the processes that open instances and files in the/tmp folder. But the symbol file is not in the column
Lsof-u1000 // View the File Usage of processes whose uid is 100.
Lsof-utony // View the File Usage of user Tony's Process
Lsof-u ^ Tony // Check the file usage of a process that is not user Tony (^ indicates the inverse)
Lsof-I // Show all opened ports
Lsof-I: 80 // Display all processes that open port 80
Lsof-I-u // Display All opened ports and Unix domain files
Lsof-I UDP @ [url] www.akadia.com: 123 // Show the processes that have opened the UDP 123 (NTP) port to www.akadia.com.
Lsof-I tcp@ohaha.ks.edu.tw: ftp-R // Constantly check the current FTP connection status (-R, lsof will continue to run until the interruption signal is received, + R, lsof will continue to run until no file is displayed, the default value is 15 s)
Lsof-I tcp@ohaha.ks.edu.tw: ftp-n// Lsof-N does not convert the IP address to the hostname. The-N parameter is not added by default.