Linux lsof Command detailed

Introduction

Lsof (list open files) is a tool that lists open files for the current system. In a Linux environment, everything is in the form of files, with files that not only access regular data, but also access to network connectivity and hardware. So, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application in the background, regardless of the nature of the file, which provides a common interface for the interaction between the application and the underlying operating system. Because the application opens a descriptor list of files that provides a lot of information about the application itself, it is helpful to see the list through the Lsof tool for system monitoring and troubleshooting.

output message meaning

Enter lsof at the terminal to display the file opened by the system, because lsof needs to access core memory and various files, so it must be run as root to fully perform its functions.

The direct input lsof partial output is:

COMMAND PID USER FD TYPE DEVICE size/off NODE NAME Init1 root CWD DIR8,140962/init1 root RTD DIR8,140962/init1 root txt REG8,1150584654127/sbin/init UDEVD415 Root0U CHR1,3 0t06254/dev/Null UDEVD415 Root1u CHR1,3 0t06254/dev/Null UDEVD415 Root2u CHR1,3 0t06254/dev/Null UDEVD690 Root Mem REG8,151736302589/lib/x86_64-linux-gnu/libnss_files-2.13.so syslogd1246 syslog 2w REG8,110187245418/Var/log/auth.log syslogd1246 syslog 3w REG 8,1 Span style= "color: #800080;" >10118 245342/var/log/syslog dd 1271 root 0r REG 0,3 0 Span style= "color: #800080;" >4026532038/PROC/KMSG dd 1271 Root 1w FIFO 0,15 0t0 409/run/klogd/kmsg dd 1271 root 2u CHR 1,3 0t0 6254/dev /null            

Each row displays an open file, and all files opened by all processes are displayed by default if you do not specify a condition.

The meaning of the lsof output column information is as follows:

COMMAND: Name of the process PID: process identifier

USER: Process Owner

FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc. type: file type, such as Dir, Reg, etc.

DEVICE: Specifies the name of the disk

Size: Sizes of files

Node: Index node (the identity of the file on disk)

Name: Open the exact name of the file

The file descriptor CWD value in the FD column represents the current working directory of the application, which is the directory that the application launches, unless it makes changes to the directory itself, the TXT type of file is the program code, such as the application binary itself or the shared library, as shown in the list above in the/sbin/init program.

The second value represents the application's file descriptor, which is an integer returned when the file is opened. As on the last line of file/dev/initctl, its file descriptor is 10. U indicates that the file is open and is in read/write mode instead of read-only ® or write-only (w) mode. Also, a capital W indicates that the application has a write lock on the entire file. This file descriptor is used to ensure that only one instance of the application can be opened at a time. When each application is initially opened, it has three file descriptors, from 0 to 2, representing standard input, output, and error streams, respectively. So most applications open files with FD starting from 3.

The Type column is more intuitive than the FD column. Files and directories are called REG and Dir, respectively. The CHR and BLK, respectively, represent characters and block devices, or UNIX, FIFO, and IPV4, respectively, representing the UNIX domain sockets, first in and Out (FIFO) queues, and Internet Protocol (IP) sockets.

Common Parameters

lsof syntax format is: lsof [options] FileName

4 shows a process using FD 4 lsof-i to display a condition-compliant process lsof-i[--  IPv4 or IPV6 protocol--   TCP or UDP   Hostnam ---Internet host name Hostaddr---   IPV4 address   Service---/etc/service in service name (can be more than one)   por T-port number (can be more than one)

lsof Use Instances

Find who is using the file system

When uninstalling a file system, the operation will typically fail if there are any open files in the file system. Then through lsof you can find out which processes are using the file system currently being uninstalled, as follows: # Lsof/gtes11/command PID USER FD TYPE DEVICE SIZE NODE NAME bash 4208 root CWD DIR 3, 1 4096 2/gtes11/vim 4230 root cwd DIR 3,1 4096 2/gtes11/In this example, user root is doing some work in its/GTES11 directory. One bash is the instance running, and its current directory is/GTES11, and the other is that Vim is editing the file under/GTES11. To successfully uninstall/GTES11, you should abort these processes after notifying the user to ensure that the situation is correct. This example illustrates the importance of the current working directory of the application because it retains the file resources and prevents the file system from being unloaded. This is why most daemons (background processes) change their directories to the root directory, or service-specific directories (such as/var/spool/mqueue in the SendMail example) to prevent the daemon from preventing the uninstallation of unrelated file systems.

Recovering deleted files

When a Linux computer is compromised, it is common for the log files to be deleted to conceal the attacker's traces. Administrative errors can also cause accidental deletion of important files, such as the active transaction log of the database is accidentally deleted when the old log is cleaned up. These files can sometimes be recovered by lsof. When a process opens a file, it remains on disk as long as the process remains open for that file, even if it is deleted. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor that was provided to it when the file was opened. In addition to this process, this file is not visible because its corresponding directory index node has been deleted. In the/proc directory, it contains various files that reflect the kernel and the process tree. The/proc directory mounts an area that is mapped in memory, so these files and directories do not exist on disk, so when we read and write these files, we actually get the relevant information from memory. Most of the information related to lsof is stored in a directory named after the PID of the process, that is,/proc/1234 contains information about the process with PID 1234. There are various files in each process directory that allow the application to simply understand the process's memory space, file description list characters, symbolic links to files on disk, and other system information. The LSOF program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display information such as the file descriptor of the process and the associated filename. That is, we can find information about the file by accessing the file descriptor of the process. When a file in the system is accidentally deleted, as long as there are processes in the system that are accessing the file, we can recover the contents of the file from the/proc directory by lsof. If the/var/log/messages file is deleted due to misoperation, then the method to restore the/var/log/messages file is as follows: First use lsof to see if there is currently a process open/var/logmessages file, as follows: # Lsof |grep/var/log/messages syslogd 1283 root 2w REG 3,3 5381017 1773647/var/log/messages (deleted) from the above information you can see PID 1283 ( SYSLOGD) The file descriptor for the open file is 2. You can also see that/var/log/messages has been flagged for deletion. So we can view the corresponding information in/PROC/1283/FD/2 (the file descriptor for each file represented by a digitally named process under FD), as follows: # HEAD-n 10/PROC/1283/FD/2 4 13:50:15 holmes86 syslogd 1.4.1:restart. 4 13:50:15 holmes86 kernel:klogd 1.4.1, log Source =/proc/kmsg started. 4 13:50:15 holmes86 kernel:linux version 2.6.22.1-8 ([email protected]) (gcc version 4.2.0) #1 SMP Wed Jul 18 11 : 18:32 EDT 4 13:50:15 holmes86 kernel:bios-provided physical RAM Map:aug 4 13:50:15 holmes86 kernel:bios-e820: 0000000000000000-000000000009f000 (usable) 4 13:50:15 holmes86 kernel:bios-e820:000000000009f000-00000000000a00 XX (reserved) 4 13:50:15 holmes86 kernel:bios-e820:0000000000100000-000000001f7d3800 (usable) 4 13:50:15 Holme S86 kernel:bios-e820:000000001f7d3800-0000000020000000 (Reserved) 4 13:50:15 holmes86 kernel:bios-e820:00000000e 0000000-00000000f0007000 (Reserved) 4 13:50:15 holmes86 kernel:bios-e820:00000000f0008000-00000000f000c000 (Rese rved) from the above information can be seen, view/PROC/8663/FD/15 can get the data to be recovered. If you can view the data through a file descriptor, you can use I/O redirection to copy it to a file, such as: CAT/PROC/1283/FD/2 &GT /var/log/messages This method of recovering deleted files is useful for many applications, especially log files and databases.

You can list information about the files that are opened by the process . The files that are opened can be

1. Common files, 2. Directory 3. File of the network file system, 4. Character device file 5. (function) shared Library 6. Pipelines, Named Pipes 7. Symbolic Links

8. Underlying socket stream, network socket,UNIX domain name socket

9. In Linux , most of the stuff is used as files ... there's a lot more.

How to use Lsof

Here we mainly use the form of case to introduce lsof command.

1. List all open files:

Lsof

Note: If you do not add any parameters, it will open all open files, it is recommended to add a parameter to the specific positioning

2. See who is using a file

Lsof/filepath/file

3. Recursively view file information for a directory

Lsof +d/filepath/filepath2/

Note: Using +d, all subdirectories and files in the corresponding directory will be listed

4. Traverse the method of viewing all file information for a directory than using the +D option

lsof | grep '/filepath/filepath2/'

5. List file information opened by a user

Lsof-u username

Note:-u option, U is actually the user's abbreviation

6. List the file information opened by a program

Lsof-c MySQL

Note: the-C option will list all files that start with MySQL, but you can also write lsof | grep mysql, but the first method is significantly less than the second one.

7. List more open file information for multiple programs

Lsof-c mysql-c Apache

8. List the file information opened by a user and a program

Lsof-u Test -C MySQL

9. List open file information except for a user

Lsof-u ^root

Note: ^ This symbol before the user name, will be the root user opens the process does not let the display

10. Display the open file by a process number

Lsof-p 1

11. list file information for multiple process numbers

Lsof-p 123,456,789

12. Lists file information opened by other process numbers in addition to a process number

Lsof-p ^1

13. List all network connections

Lsof-i

14. List all TCP network connection information

Lsof-i TCP

15. List all UDP network connection information

Lsof-i UDP

16. List who is using a port

Lsof-i: 3306

17. List who is using a specific UDP port

Lsof-i udp:55

A specific TCP port

Lsof-i tcp:80

18. List all active network ports for a user

Lsof-a-U test-i

19. List all network file systems

Lsof-n

20. Domain Name socket file

Lsof-u

21. File information opened by a user group

Lsof-g 5555

22. List the corresponding file information according to the file description

Lsof-d description (like 2)

23. list file information according to the scope of the file description

Lsof-d 2-3

Utility Commands

Lsof ' which httpd '//That process is using Apache's executable filelsof/etc/passwd//That process is taking up/etc/passwd.Lsof/dev/hda6//That process is taking up hda6.Lsof/dev/cdrom//That process is taking up the optical drive.Lsof-c SendMail//View file usage for the SendMail processLsof-c courier-u ^zahn//Shows that those files are opened with a courier START process, but they do not belong to the user ZahnLsof-p30297//Show those files are turned on by the PID 30297 processLSOF-D/TMP Displays all the processes that are open in the/tmp folder for instance and files. But the symbol file is not listed
lsof-u1000//View the file usage of the user's process UID is 100Lsof-utony//View file usage for user Tony's processLsof-u^tony//View file usage for processes that are not user Tony (^ is inverse meaning)Lsof-i//Show all open ports Lsof-i:80 // Show all open 80-port processes  lsof-i-u //  Lsof-i [email protected] [Url]www.akadia.com:123 //  shows those processes that have opened a link to www.akadia.com UDP 123 (NTP) port  Lsof-i [ Email protected]:ftp-r // keep looking at the current FTP connection (-R, Lsof will continue to execute forever until the interrupt signal is received, +r,lsof will execute until no file is displayed, the default is 15s refresh)  Lsof-i [email  Protected]:ftp-n //lsof-n does not convert IP to hostname, the default is not to add the-n parameter  

Linux lsof Command detailed