Lsof,list open files lists the tools for opening a file on the current system. In a Linux environment, everything is in the form of files, with files that not only access regular data, but also access to network connectivity and hardware (lsof powerful reasons). So, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application in the background, regardless of the nature of the file, which provides a common interface for the interaction between the application and the underlying operating system. Because the application opens a descriptor list of files that provides a lot of information about the application itself, it is helpful to see the list through the Lsof tool for system monitoring and troubleshooting.
Lsof output message Meaning
Enter lsof at the terminal to display the file opened by the system, because lsof needs to access core memory and various files, so it must be run as root to fully perform its functions.
#lsofCOMMAND PID USER FD TYPE DEVICE SIZE NODE NAME init1Root CWD DIR3,3 1024x768 2/Init1Root RTD DIR3,3 1024x768 2/Init1Root txt REG3,3 38432 1763452/sbin/Init init1Root Mem REG3,3 106114 1091620/lib/libdl-2.6. So init1Root Mem REG3,3 7560696 1091614/lib/libc-2.6. So init1Root Mem REG3,3 79460 1091669/lib/libselinux.so.1Init1Root Mem REG3,3 223280 1091668/lib/libsepol.so.1Init1Root Mem REG3,3 564136 1091607/lib/LD-2.6. So init1Root10uFifo0, the 1309/dev/initctl
Each row displays an open file, and all files opened by all processes are displayed by default if you do not specify a condition. Lsof the meaning of the output column information is as follows:
COMMAND: Process name
PID: Process identifier
USER: Process owner
FD: File descriptor, which is recognized by the application through a file descriptor. such as CWD, TXT, etc.
Type: file type, such as Dir, Reg, and so on
DEVICE: Specify the name of the disk
Size: File size
Node: Index node (the identity of the file on disk)
Name: Open the exact name of the file
Where the file descriptor in the FD column CWD value represents the Current working directory of the application. This is the directory that the application launches, unless it makes changes to the directory itself. txt type of file is the program code , such as the application binaries themselves or the shared library, as shown in the list above in the/sbin/init program. The second value represents the application's file descriptor, which is an integer returned when the file is opened. As on the last line of file/dev/initctl, its file descriptor is 10. u indicates that the file is open and in read/write mode instead of read-only (R) or write-only (w) mode. Also, the uppercase W indicates that the application has a write lock on the entire file . This file descriptor is used to ensure that only one instance of the application can be opened at a time. When each application is initially opened, it has three file descriptors, 0, 1, and 2, which represent standard input, output, and error streams, respectively. So most applications open files with FD starting from 3.
Type: files and directories are respectively called REG and dir (in Solaris, called VREG and VDIR). The CHR and BLK, respectively, represent characters and block devices, or UNIX, FIFO, and IPV4, respectively, representing the UNIX domain sockets, first in and Out (FIFO) queues, and Internet Protocol (IP) sockets.
Common Parameters
The lsof syntax format is:
lsof [options] FileName
lsof Abc.txt shows the process of opening the file Abc.txt lsof-C ABC shows a file that starts with the letter ABC process now open lsof-P1234 lists files opened by processes with process number 1234 lsof-G gname/GID shows the process of attribution to Gname or GID lsof-Uuname/UID shows the status of the process belonging to the uname or UID lsof+d/usr/local/displays files that were opened by the process in the directory lsof+d/usr/local/Same as above, but search directories under directory for a long time lsof-D4 shows the process using FD 4 lsof-i used to show the condition of the process lsof-i[ $] [protocol][@hostname |hostaddr][:service|Port] $-IPv4 or IPV6 protocol-TCP or UDPhostname-Internet host name Hostaddr-IPV4 Address Service-/etc/Service name (can have more than one) in the service port--Port number (can be more than one)
Example
Lsof 'whichHTTPd '//that process is using Apache's executable filelsof/etc/passwd //that process is taking up/etc/passwd .Lsof/dev/hda6//that process is taking up Hda6 .Lsof/dev/cdrom//that process is taking up the optical drive .Lsof-c SendMail//view file Usage for the sendmail processLsof-c courier-u ^zahn//shows that those files are opened with a courier START process, but they do not belong to the user ZahnLsof-p30297 //show those files are turned on by the PID 30297 processLSOF-D/tmp shows all theThe tmp folder opens the process for instance and files. But the symbol file is not listed lsof-u1000//View the file usage of the user's process UID is 100Lsof-utony//view file Usage for user Tony's processLsof-u^tony//view file Usage for processes that are not user Tony (^ is inverse meaning)Lsof-i//Show all open portsLsof-i: the //Show all processes that open port 80Lsof-i-U//Show all open ports and UNIX domain fileslsof-i [Email protected][url]www.akadia.com:123 //shows those processes that have opened a link to the UDP 123 (NTP) port of www.akadia.comlsof-i [email protected]:FTP-R//constantly check the current FTP connection situation (-r,lsof will always continue to execute until the interrupt signal is received, +R,LSOF will continue to execute until no file is displayed, the default is 15s refresh)lsof-i [email protected]:FTP-N//lsof-n do not convert IP to hostname, the default is not to add the-n parameter
View all processes that open port 22
-I : COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 1409 Root 3u IPv6 5678 TCP *:ssh (LISTEN)
To view files that have the file type txt opened by the root user process
# lsof-a-U root-d txt COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME init1Root txt REG3,3 38432 1763452/sbin/Init mingetty1632Root txt REG3,3 14366 1763337/sbin/Mingetty Mingetty1633Root txt REG3,3 14366 1763337/sbin/Mingetty Mingetty1634Root txt REG3,3 14366 1763337/sbin/Mingetty Mingetty1635Root txt REG3,3 14366 1763337/sbin/Mingetty Mingetty1636Root txt REG3,3 14366 1763337/sbin/Mingetty Mingetty1637Root txt REG3,3 14366 1763337/sbin/Mingetty KDM1638Root txt REG3,3 132548 1428194/usr/bin/KDM X1670Root txt REG3,3 1716396 1428336/usr/bin/Xorg KDM1671Root txt REG3,3 132548 1428194/usr/bin/KDM Startkde2427Root txt REG3,3 645408 1544195/bin/bash
To view the use of a file descriptor by a process
6 | grep 6139
Search for an address open network connection
If you want to search all network connections for a remote connection host with an IP address of 10.645.64.23, you can execute the following command, which opens all open sockets for that remote confidant in the system.
Lsof–[email protected]10.65. 64.23
Find a locally disconnected open file
Users often encounter this situation, when a process is writing data to a file, the directory of the file may be moved. This creates a very big problem. For example, the user may find that the data is being written to/data, but without seeing the file grow, lsof This tool can find such errors.
Find who is using the file system
When uninstalling a file system, the operation will typically fail if there are any open files in the file system. Then through lsof you can find out which processes are using the file system that is currently being uninstalled, as follows:
# lsof/gtes11/42083,140962 /gtes11/4230 3,140962 /gtes11/
In this example, user root is doing some work in its/GTES11 directory. One bash is the instance running, and its current directory is/GTES11, and the other is that Vim is editing the file under/GTES11. To successfully uninstall/GTES11, you should abort these processes after notifying the user to ensure that the situation is correct. This example illustrates the importance of the current working directory of the application because it retains the file resources and prevents the file system from being unloaded. This is why most daemons (background processes) change their directories to the root directory, or service-specific directories (such as/var/spool/mqueue in the SendMail example) to prevent the daemon from preventing the uninstallation of unrelated file systems.
Recovering deleted files
When a Linux computer is compromised, it is common for the log files to be deleted to conceal the attacker's traces. Administrative errors can also cause accidental deletion of important files, such as the active transaction log of the database is accidentally deleted when the old log is cleaned up. These files can sometimes be recovered by lsof.
When a process opens a file, it still exists on disk as long as the process remains open for that file, even if it is deleted. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor that was provided to it when the file was opened. In addition to this process, this file is not visible because its corresponding directory index node has been deleted. The
is under the/proc directory, which contains various files that reflect the kernel and process tree. The/proc directory mounts an area that is mapped in memory, so these files and directories do not exist on disk, so when we read and write these files, we actually get the relevant information from memory. Most of the information related to lsof is stored in a directory named after the PID of the process, that is,/proc/1234 contains information about the process with PID 1234. There are various files in each process directory that allow the application to simply understand the process's memory space, file description list characters, symbolic links to files on disk, and other system information. The LSOF program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display information such as the file descriptor of the process and the associated filename. That is, we can find information about the file by accessing the file descriptor of the process.
When a file in the system is accidentally deleted, as long as there are processes in the system that are accessing the file, we can recover the contents of the file from the/proc directory by lsof. If the/var/log/messages file is deleted due to misoperation, then the method to restore the/var/log/messages file is as follows:
First use lsof to see if there is currently a process open/var/logmessages file, as follows:
# Lsof | grep /var/log/1283 root 2w3,353810171773647 /var/log/messages (Deleted)
From the above information you can see that the PID 1283 (syslogd) Open file has a file descriptor of 2. You can also see that/var/log/messages has been flagged for deletion. So we can view the corresponding information in/PROC/1283/FD/2 (each file descriptor for the process corresponding to a digitally named file under FD), as follows:
#Head-NTen/proc/1283/fd/2 the4 -: -: theHolmes86 syslogd1.4.1: Restart. the4 -: -: theHolmes86 KERNEL:KLOGD1.4.1, log Source =/proc/Kmsg started. the4 -: -: theHOLMES86 Kernel:linux Version2.6.22.1-8([email protected]) (GCCVersion4.2.0) #1SMP Wed Jul - One: -: +EDT -The4 -: -: theHolmes86 kernel:bios-provided Physical RAM Map:aug4 -: -: theHolmes86 kernel:bios-e820:0000000000000000-000000000009f000 (usable)4 -: -: theHolmes86 kernel:bios-e820:000000000009f000-00000000000a0000 (Reserved)4 -: -: theHolmes86 kernel:bios-e820:0000000000100000-000000001f7d3800 (usable)4 -: -: theHolmes86 kernel:bios-e820:000000001f7d3800-0000000020000000(reserved) The4 -: -: theHolmes86 kernel:bios-e820:00000000e0000000-00000000f0007000 (Reserved)4 -: -: theHolmes86 kernel:bios-e820:00000000f0008000-00000000f000c000 (Reserved)
As you can see from the information above, you can get the data you want to recover by looking at/PROC/8663/FD/15. If you can view the data through a file descriptor, you can use I/O redirection to copy it to a file, such as:
Cat /proc/1283/fd/2 >/var/log/messages
This method of recovering deleted files is useful for many applications, especially log files and databases.
Reference: http://blog.csdn.net/yuzhihui_no1/article/details/51767516
Linux-lsof command