Linuxlsof command details and use examples (more detailed summary)

Lsof (listopenfiles) is a tool used to list open files in the current system. In linux, everything exists in the form of a file. through a file, you can not only access common data, but also access network connections and hardware.

Therefore, for example, the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application at the backend, regardless of the nature of the file, this file descriptor provides a common interface for the interaction between the application and the basic operating system. Because the descriptor list of an application opening file provides a large amount of information about the application itself, it is very helpful for system monitoring and troubleshooting to view this list using the lsof tool.

1. command format:

Lsof [Parameters] [files]

2. command functions:

It is used to view the files opened by your process, the processes opened by the file, and the ports opened by the process (TCP and UDP ). Restore/restore deleted files. Is a very convenient system monitoring tool, because lsof needs to access the core memory and various files, so it needs to be executed by the root user.

The files opened by lsof can be:

1. Common Files

2. Directory

3. network file system files

4. characters or device files

5. (function) shared library

6. pipe, named pipe

7. symbolic links

8. network files (such as NFS file, network socket, and unix domain socket)

9. there are other types of files, etc.

3. command parameters:

-A: list the processes that open the file.

-C <进程名> List files opened by a specified process

-G: list GID process details

-D <文件号> List the processes that occupy this file number

+ D <目录> List opened files in a directory

+ D <目录> Recursively list opened files in a directory

-N <目录> List NFS files

-I <条件> List qualified processes. (4, 6, protocol,: Port, @ ip)

-P <进程号> List files opened by a specified process number

-U: list UID process details

-H: Display help information

-V: Display version information

4. example:

Instance 1: no parameters

Command: lsof

Output:

Copy codeThe code is as follows:
[Root @ localhost ~] # Lsof

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Init 1 root cwd DIR 8, 2 4096 2/
Init 1 root rtd DIR 8, 2 4096 2/
Init 1 root txt REG 43496 6121706/sbin/init
Init 1 root mem REG 143600 7823908/lib64/ld-2.5.so
Init 1 root mem REG 1722304 7823915/lib64/libc-2.5.so
Init 1 root mem REG 23360 7823919/lib64/libdl-2.5.so
Init 1 root mem REG 95464 7824116/lib64/libselinux. so.1
Init 1 root mem REG 247496 7823947/lib64/libsepol. so.1
Init 1 root 10u FIFO 1233/dev/initctl
Migration 2 root cwd DIR 8, 2 4096 2/
Migration 2 root rtd DIR 8, 2 4096 2/
Migration 2 root txt unknown/proc/2/exe
Ksoftirqd 3 root cwd DIR 8, 2 4096 2/
Ksoftirqd 3 root rtd DIR 8, 2 4096 2/
Ksoftirqd 3 root txt unknown/proc/3/exe
Migration 4 root cwd DIR 8, 2 4096 2/
Migration 4 root rtd DIR 8, 2 4096 2/
Migration 4 root txt unknown/proc/4/exe
Ksoftirqd 5 root cwd DIR 8, 2 4096 2/
Ksoftirqd 5 root rtd DIR 8, 2 4096 2/
Ksoftirqd 5 root txt unknown/proc/5/exe
Events/0 6 root cwd DIR 8, 2 4096 2/
Events/0 6 root rtd DIR 8, 2 4096 2/
Events/0 6 root txt unknown/proc/6/exe
Events/1 7 root cwd DIR 8, 2 4096 2/

Note:

The significance of lsof output column information is as follows:

COMMAND: Process name

PID: Process identifier

PPID: parent process identifier (-R parameter needs to be specified)

USER: Process Owner

PGID: group to which the process belongs

FD: file descriptor. the application identifies the file through the file descriptor. Such as cwd and txt

(1) cwd: Indicates current work dirctory, that is, the current working directory of the application, which is the directory started by the application, unless it changes the directory.

(2) txt: this type of file is the program code, such as the application binary file itself or the shared library. The/sbin/init Program shown in the above list

(3) lnn: library references (AIX );

(4) er: FD information error (see NAME column );

(5) jld: jail directory (FreeBSD );

(6) ltx: shared library text (code and data );

(7) mxx: hex memory-mapped type number xx.

(8) m86: DOS Merge mapped file;

(9) mem: memory-mapped file;

(10) mmap: memory-mapped device;

(11) pd: parent directory;

(12) rtd: root directory;

(13) tr: kernel trace file (OpenBSD );

(14) v86 VP/ix mapped file;

(15) 0: standard output

(16) 1: standard input

(17) 2: indicates a standard error.

Generally, standard output, standard error, and standard input are followed by the file status mode: r, w, u, etc.

(1) u: indicates that the file is opened and in read/write mode.

(2) r: indicates that the file is opened and in read-only mode.

(3) w: indicates that the file is opened and

(4) space: indicates that the state mode of the file is unknow and is not locked.

(5)-: indicates that the state mode of the file is unknow and the file is locked.

At the same time, after the file status mode, related locks are also followed.

(1) N: for a Solaris NFS lock of unknown type;

(2) r: for read lock on part of the file;

(3) R: for a read lock on the entire file;

(4) w: for a write lock on part of the file; (partial write lock of the file)

(5) W: for a write lock on the entire file; (the entire file write lock)

(6) u: for a read and write lock of any length;

(7) U: for a lock of unknown type;

(8) x: for an SCO OpenServer Xenix lock on part of the file;

(9) X: for an SCO OpenServer Xenix lock on the entire file;

(10) space: if there is no lock.

TYPE: file TYPE, such as DIR and REG. common file types

(1) DIR: indicates the Directory

(2) CHR: character type

(3) BLK: block device type

(4) UNIX: UNIX domain socket

(5) FIFO: FIFO queue

(6) IPv4: Internet Protocol (IP) socket

DEVICE: specify the disk name.

SIZE: file SIZE

NODE: index NODE (the identifier of the file on the disk)

NAME: the exact NAME of the opened file.

Instance 2: check who is using a file, that is, find the process related to a file.

Command: lsof/bin/bash

Output:

 
Copy codeThe code is as follows:
[Root @ localhost ~] # Lsof/bin/bash
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 24159 root txt REG 801528 5368780/bin/bash
Bash 24909 root txt REG 801528 5368780/bin/bash
Bash 24941 root txt REG 801528 5368780/bin/bash
[Root @ localhost ~] #

Example 3: recursively view the file information of a directory

Command: lsof test/test3

Output:

 
Copy codeThe code is as follows:
[Root @ localhost ~] # Cd/opt/soft/
[Root @ localhost soft] # lsof test/test3
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 24941 root cwd DIR 4096 2258872 test/test3
Vi 24976 root cwd DIR 4096 2258872 test/test3
[Root @ localhost soft] #

Note:

When + D is used, all subdirectories and files in the corresponding directory will be listed.

Example 4: without the + D option, traverse all the file information in a directory

Command: lsof | grep 'test/test3'

Output:

Copy codeThe code is as follows:
[Root @ localhost soft] # lsof | grep 'test/test3'
Bash 24941 root cwd DIR 4096 2258872/opt/soft/test/test3
Vi 24976 root cwd DIR 4096 2258872/opt/soft/test/test3
Vi 24976 root 4u REG 12288 2258882/opt/soft/test/test3/. log2013.log. swp
[Root @ localhost soft] #

Instance 5: lists the files opened by a user.

Command: lsof-u username

Description:-u option. u is short for user.

Instance 6: lists the files opened by a program process.

Command: lsof-c mysql

Note: The-c option will list all program files starting with the mysql process. In fact, you can also write lsof | grep mysql, however, the first method obviously requires a few characters less than the second method.

Instance 7: lists information about multiple open files in multiple processes.

Command: lsof-c mysql-c apache

Instance 8: lists information about a user and files opened by a process.

Command: lsof-u test-c mysql

Note: users and processes can be related or irrelevant.

Instance 9: lists information about open files except for those used outdoors.

Command: lsof-u ^ root

Note: ^ The process opened by the root user will not be displayed before the user name.

Instance 10: displays the file opened by a process number

Command: lsof-p 1

Instance 11: lists the file information corresponding to multiple process numbers.

Command: lsof-p 1, 2, 3

Instance 12: lists the files opened by other process numbers except for a specific process number.

Command: lsof-p ^ 1

Instance 13: list all network connections

Command: lsof-I

Instance 14: lists all tcp network connection information

Command: lsof-I tcp

Instance 15: list all udp network connection information

Command: lsof-I udp

Instance 16: list who is using a port

Command: lsof-I: 3306

Instance 17: list who is using a specific udp port

Command: lsof-I udp: 55

Or: a specific tcp port

Command: lsof-I tcp: 80

Instance 18: list all active network ports of a user

Command: lsof-a-u test-I

Instance 19: list all network file systems

Command: lsof-N

Instance 20: Domain name socket file

Command: lsof-u

Instance 21: file information opened by a user group

Command: lsof-g 5555

Instance 22: list the corresponding file information based on the file description

Command: lsof-d description (like 2)

Example: lsof-d txt

Example: lsof-d 1

Example: lsof-d 2

Note: 0 indicates the standard input, 1 indicates the standard output, and 2 indicates the standard error. it can be seen that the FD of files opened by most applications starts from 3.

Instance 23: list file information according to the file description range

Command: lsof-d 2-3

Instance 24: list the file information that contains the string "sshd" in the COMMAND column and the file type is txt.

Command: lsof-c sshd-a-d txt

Output:

 
Copy codeThe code is as follows:
[Root @ localhost soft] # lsof-c sshd-a-d txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Sshd 2756 root txt REG 409488 1027867/usr/sbin/sshd
Sshd 24155 root txt REG 409488 1027867/usr/sbin/sshd
Sshd 24905 root txt REG 409488 1027867/usr/sbin/sshd
Sshd 24937 root txt REG 409488 1027867/usr/sbin/sshd
[Root @ localhost soft] #

Instance 25: lists all IPV4 network files opened by processes with process 1234

Command: lsof-I 4-a-p 1234

Instance 26: list all file information related to ports 20, 21, and on the currently connected host peida. linux, and continuously execute the lsof command every 3 seconds.

Command: lsof-I @ peida. linux: 20, 21,-r 3