Linux lsof Command Usage Summary

Lsof (list open files) is a tool that lists the current system open file. In a Linux environment, everything exists as a file, and access to network connections and hardware can be accessed through files as well as regular data. So, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application in the background, regardless of the nature of the file, which provides a common interface for interaction between the application and the underlying operating system. Because the application opens a list of file descriptors that provide a lot of information about the application itself, it is helpful to be able to view the list through the Lsof tool for system monitoring and debugging. The
lsof example
Diagram 1:lsof example,
Enter lsof at a terminal to display files that are open by the system, because lsof requires access to core memory and various files, so it must be run as root to fully function. The
as shown in Figure 1 above is an example of an lsof output, with each row displaying an open file, without specifying that all the files opened by the process are displayed by default. The meaning of the
lsof output column information is as follows:
COMMAND: Process name
PID: Process identifier
USER: Process owner
FD: A file descriptor that the application identifies with the file descriptor, such as CWD, TXT, and so on.
Type: File types, such as: DIR, Reg, and so on.
DEVICE: Specify the name of the disk
Size: File size
Node: Index node (identity on disk)
Name: Open the exact name of the file
the file descriptor CWD value in the FD column represents the current working directory of the application. This is the directory where the application starts, unless it changes the directory itself, the TXT type of file is program code, such as the application binaries themselves or shared libraries. The second value identifies the file descriptor for the application, which is an integer that is returned when the file is opened. The Type column is more intuitive than the FD column. Files and directories are called Reg and Dir, respectively. CHR and Blk, respectively, represent characters and block devices, or UNIX, FIFO, and IPv4, which represent UNIX domain sockets, first-in first-out (FIFO) queues, and Internet Protocol (IP) sockets, respectively.
Here are some useful commands:

lsof ' which httpd '///That process is using the Apache executable
LSOF/ETC/PASSWD//That process is taking up/etc/passwd
Lsof/dev/hda6// That process is taking up the Hda6
Lsof/dev/cdrom//That process is taking up the optical drive
Lsof-c sendmail//Viewing file usage of the sendmail process
Lsof-c courier-u ^zahn//show that Some files are opened with a courier-preceded process, but they do not belong to the user Zahn
Lsof-p 30297//display those files are open by the PID 30297 process
lsof-d/TMP displays all the The process of instance and files opened in the TMP folder. However, the symbol file is not in the column
 
lsof-u1000//View the file usage of the process of the user with the UID of 100
Lsof-utony//View file Usage for user Tony's process
lsof-u^ Tony//View file usage of the process that is not user Tony (^ is the reverse meaning)
Lsof-i//Show all open ports
lsof-i:80//Show all open 80 ports process
Lsof-i-u//Show all open ports and UN IX domain file
lsof-i udp@[url]www.akadia.com:123//Show links to 123 (NTP) ports that processes have opened to www.akadia.com UDP
Lsof-i Tcp@ohaha.ks.edu.tw:ftp-r//Constantly view the current FTP connection (-r,lsof will always continue to execute until the interrupt signal is received, +r,lsof will always execute until no files are displayed, default is 15s refresh)
Lsof-i Tcp@ohaha.ks.edu.tw:ftp-n//lsof-n does not convert IP to hostname, by default the-n parameter is not added
you can use Lsof-i: port number to see which programs currently occupy a port.
Resources:
1. Linux lsof command details

Output information meaning
Enter lsof under the terminal to display the system's open files, because the lsof needs access to core memory and various files, so it must be run as root to fully perform its functions.

The direct input lsof partial output is:

COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
Init 1 root cwd DIR 8,1 4096 2/
Init 1 root RTD DIR 8,1 4096 2/
Init 1 root txt REG 8,1 150584 654127/sbin/init
UDEVD 415 root 0u CHR 1,3 0t0 6254/dev/null
UDEVD 415 root 1u CHR 1,3 0t0 6254/dev/null
UDEVD 415 Root 2u CHR 1,3 0t0 6254/dev/null
UDEVD 690 Root Mem REG 8,1 51736 302589/lib/x86_64-linux-gnu/libnss_files-2.13. So
SYSLOGD 1246 syslog 2w REG 8,1 10187 245418/var/log/auth.log
SYSLOGD 1246 syslog 3w REG 8,1 10118 245342/var/log/syslog
DD 1271 root 0r REG 0,3 0 4026532038/proc/kmsg
DD 1271 Root 1w FIFO 0,15 0t0 409/run/klogd/kmsg
DD 1271 Root 2u CHR 1,3 0t0 6254/dev/null
Each line displays an open file, and if you do not specify a condition, all files opened by the process are displayed by default.

The meaning of the lsof output column information is as follows:

COMMAND: Process name PID: Process identifier

USER: Process Owner

FD: A file descriptor that the application recognizes by the file descriptor. such as CWD, TXT, etc. type: file type, such as Dir, Reg, etc.

DEVICE: Specifies the name of the disk

Size: Sizes of files

Node: Index node (identity of file on disk)

Name: Open the exact name of the file

The file descriptor CWD value in the FD column represents the current working directory of the application. This is the directory where the application starts, unless it itself makes changes to this directory, the TXT type of file is program code, such as the application binaries themselves or shared libraries, as shown in the above list of/sbin/init programs.

The second value represents the file descriptor for the application, which is an integer that is returned when the file is opened. As the last line on the file/dev/initctl, its file descriptor is 10. U indicates that the file is open and in read/write mode, not read-only or write-only (w) mode. There is also an uppercase w indicating that the application has a write lock on the entire file. This file descriptor is used to ensure that only one instance of the application can be opened at a time. When each application is initially opened, it has three file descriptors, from 0 to 2, representing standard input, output, and error streams, respectively. So most applications open files with FD starting at 3.

The Type column is more intuitive than the FD column. Files and directories are called REG and DIR, respectively. CHR and BLK, respectively, represent characters and block devices, or UNIX, FIFO, and IPv4, which represent UNIX domain sockets, first-in first-out (FIFO) queues, and Internet Protocol (IP) sockets, respectively.

Common parameters
The lsof syntax format is:
lsof [options] FileName

Lsof Abc.txt shows the process of opening file Abc.txt
LSOF-C ABC shows the files that the ABC process now opens
LSOF-C-P 1234 lists files opened by processes with process number 1234
Lsof-g GID shows the process status of the attribution GID
Lsof +d/usr/local/displays files that are opened by the process in the directory
Lsof +d/usr/local/Ibid, but will search directories under the directory, longer
Lsof-d 4 shows the process using FD 4
Lsof-i is used to show the conditions of a qualifying process
LSOF-I[46] [protocol][@hostname |hostaddr][:service|port]
--> IPv4 or IPv6
Protocol--> TCP or UDP
Hostname--> Internet Host name
HOSTADDR--> IPV4 Address
Service name in service-->/etc/service (can be more than one)
Port--> Port number (can be more than one)

Lsof Use Instances
Find out who is using the file system

When you uninstall the file system, the operation will typically fail if there are any open files in the file system. Then through lsof you can find out which processes are using the file system currently being uninstalled, as follows:
# lsof/gtes11/
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 4208 root cwd DIR 3,1 4096 2/gtes11/
Vim 4230 root cwd DIR 3,1 4096 2/gtes11/
In this example, user root is doing some action in its/GTES11 directory. One bash is that the instance is running, and its current directory is/GTES11, while the other shows vim editing the file under/GTES11. To successfully uninstall/GTES11, you should abort these processes after notifying the user to ensure that the situation is normal. This example demonstrates the importance of the application's current working directory because it retains file resources and prevents the file system from being uninstalled. This is why most daemons (background processes) change their directories to the root directory, or to a service-specific directory, such as the/var/spool/mqueue in the SendMail example, to prevent the daemon from uninstalling the unrelated file system.

Recover deleted files

When a Linux computer is compromised, it is common for a log file to be deleted to mask the attacker's whereabouts. Administrative errors can also cause accidental deletion of important files, such as accidental deletion of the active transaction log of the database when the old log is cleaned up. Sometimes these files can be recovered by lsof.
When a process opens a file, it still exists on disk as long as the process remains open for that file, even if it is deleted. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor that was provided to it when the file was opened. In addition to the process, this file is not visible because its corresponding directory indexing node has been deleted.
In the/proc directory, it contains various files that reflect the kernel and the process tree. The/proc directory mounts an area that is mapped in memory, so these files and directories do not exist on disk, so when we read and write to these files, we actually get the relevant information from memory. Most lsof-related information is stored in the directory named by the process's PID, that is, the/proc/1234 contains information about the process with PID 1234. There are various files in each process directory that allow the application to simply understand the memory space of the process, file description characters, symbolic links to files on disk, and other system information. The LSOF program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display information such as the file descriptor of the process and the associated file name. That is, we can find information about the file by accessing the file descriptor of the process.
When a file in the system is accidentally deleted, as long as there are processes in the system that are accessing the file, we can recover the contents of the file from the/proc directory by lsof. If the/var/log/messages file is deleted due to misoperation, then the method to restore the/var/log/messages file is as follows:
First use lsof to see if there is currently a process open/var/logmessages file, as follows:
# lsof |grep/var/log/messages
SYSLOGD 1283 root 2w REG 3,3 5381017 1773647/var/log/messages (Deleted)
From the above information you can see that the PID 1283 (syslogd) Open file has a file descriptor of 2. You can also see that/var/log/messages has been marked for deletion. Therefore, we can view the corresponding information in the/PROC/1283/FD/2 (each of the digitally named files in the FD file descriptor), as follows:
# head-n 10/PROC/1283/FD/2
Aug 4 13:50:15 holmes86 syslogd 1.4.1:restart.
Aug 4 13:50:15 holmes86 kernel:klogd 1.4.1, log Source =/proc/kmsg started.
Aug 4 13:50:15 holmes86 kernel:linux version 2.6.22.1-8 (root@everestbuilder.linux-ren.org) (gcc version 4.2.0) #1 SMP We D June 11:18:32 EDT 2007 Aug 4 13:50:15 holmes86 kernel:bios-provided physical RAM Map:aug 4 13:50:15 holmes86 kernel: bios-e820:0000000000000000-000000000009f000 (usable) Aug 4 13:50:15 holmes86 kernel:bios-e820:000000000009f000-000 00000000a0000 (Reserved) Aug 4 13:50:15 holmes86 kernel:bios-e820:0000000000100000-000000001f7d3800 (usable) Aug 4 13: 50:15 holmes86 kernel:bios-e820:000000001f7d3800-0000000020000000 (Reserved) Aug 4 13:50:15 holmes86 kernel:bios-e820 : 00000000e0000000-00000000f0007000 (Reserved) Aug 4 13:50:15 holmes86 kernel:bios-e820:00000000f0008000-00000000f00 0c000 (Reserved)
As you can see from the above information, you can see the/PROC/8663/FD/15 to get the data you want to recover. If you can view the data by using a file descriptor, you can use I/O redirection to copy it to a file, such as:
CAT/PROC/1283/FD/2 >/var/log/messages
This method of recovering deleted files is useful for many applications, especially log files and databases.