Linux-lsof command

Lsof (list open files) is a tool that lists open files for the current system. In a Linux environment, everything is in the form of files, with files that not only access regular data, but also access to network connectivity and hardware. So, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application in the background, regardless of the nature of the file, which provides a common interface for the interaction between the application and the underlying operating system. Because the application opens a descriptor list of files that provides a lot of information about the application itself, it is helpful to see the list through the Lsof tool for system monitoring and troubleshooting.
Enter lsof at the terminal to display the file opened by the system, because lsof needs to access core memory and various files, so it must be run as root to fully perform its functions.
The direct input lsof partial output is:

lsof Abc.txt shows the process of opening the file Abc.txt lsof-C ABC show ABC process now open file Lsof-c-p1234lists files opened by processes with process number 1234 lsof-g GID shows the process of attribution to GID lsof+d/usr/local/displays files that were opened by the process in the directory lsof+d/usr/local/Same as above, but search directories under directory for a long time lsof-D4shows the process using FD 4 lsof-I used to show the condition of the process lsof-i[ $] [protocol][@hostname |hostaddr][:service|Port]-IPv4 or IPV6 protocol-TCP or UDP hostname-Internet host name Hostaddr-IPV4 Address Service-/etc/Service name (can have more than one) in the service port--Port number (can be more than one)

Each row displays an open file, and all files opened by all processes are displayed by default if you do not specify a condition.

The meaning of the lsof output column information is as follows:

COMMAND: Name of the process PID: process identifier

USER: Process Owner

FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc. type: file type, such as Dir, Reg, etc.

DEVICE: Specifies the name of the disk

Size: Sizes of files

Node: Index node (the identity of the file on disk)

Name: Open the exact name of the file

The file descriptor CWD value in the FD column represents the current working directory of the application, which is the directory that the application launches, unless it makes changes to the directory itself, the TXT type of file is the program code, such as the application binary itself or the shared library, as shown in the list above in the/sbin/init program.

The second value represents the application's file descriptor, which is an integer returned when the file is opened. As on the last line of file/dev/initctl, its file descriptor is 10. U indicates that the file is open and is in read/write mode instead of read-only ® or write-only (w) mode. Also, a capital W indicates that the application has a write lock on the entire file. This file descriptor is used to ensure that only one instance of the application can be opened at a time. When each application is initially opened, it has three file descriptors, from 0 to 2, representing standard input, output, and error streams, respectively. So most applications open files with FD starting from 3.

The Type column is more intuitive than the FD column. Files and directories are called REG and Dir, respectively. The CHR and BLK, respectively, represent characters and block devices, or UNIX, FIFO, and IPV4, respectively, representing the UNIX domain sockets, first in and Out (FIFO) queues, and Internet Protocol (IP) sockets.

Common parameters
The lsof syntax format is:

lsof [options] filenamelsof Abc.txt shows the process of opening the file Abc.txt lsof-C ABC show ABC process now open file Lsof-c-p1234lists files opened by processes with process number 1234 lsof-g GID shows the process of attribution to GID lsof+d/usr/local/displays files that were opened by the process in the directory lsof+d/usr/local/Same as above, but search directories under directory for a long time lsof-D4shows the process using FD 4 lsof-I used to show the condition of the process lsof-i[ $] [protocol][@hostname |hostaddr][:service|Port]-IPv4 or Ipv6protocol-TCP or Udphostname-Internet host Namehostaddr-IPV4 Address Service-/etc/Service name (can have more than one) in the service port--Port number (can be more than one)

Utility Commands:

Lsof ' which httpd '//that process is using Apache's executable filelsof/etc/passwd//that process is taking up/etc/passwd .Lsof/dev/hda6//that process is taking up Hda6 .Lsof/dev/cdrom//that process is taking up the optical drive .Lsof-c SendMail//view file Usage for the sendmail processLsof-c courier-u ^zahn//shows that those files are opened with a courier START process, but they do not belong to the user ZahnLsof-p30297 //show those files are turned on by the PID 30297 processLSOF-D/tmp shows all theThe tmp folder opens the process for instance and files. But the symbol file is not listed lsof-u1000//View the file usage of the user's process UID is 100Lsof-utony//view file Usage for user Tony's processLsof-u^tony//view file Usage for processes that are not user Tony (^ is inverse meaning)Lsof-i//Show all open portsLsof-i: the //Show all processes that open port 80Lsof-i-U//Show all open ports and UNIX domain fileslsof-i [Email protected][url]www.akadia.com:123 //shows those processes that have opened a link to the UDP 123 (NTP) port of www.akadia.comlsof-i [Email Protected]:ftp-r//constantly check the current FTP connection situation (-r,lsof will always continue to execute until the interrupt signal is received, +R,LSOF will continue to execute until no file is displayed, the default is 15s refresh)lsof-i [Email protected]:ftp-n//lsof-n do not convert IP to hostname, the default is not to add the-n parameter

<FROM:http://www.cnblogs.com/ggjucheng/archive/2012/01/08/2316599.html>

Linux-lsof command