Lsof (listopenfiles) is a tool used to list open files in the current system. In linux, everything exists in the form of a file. through a file, you can not only access common data, but also access network connections and hardware.
Therefore, for example, the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application at the backend, regardless of the nature of the file, this file descriptor provides a common interface for the interaction between the application and the basic operating system. Because the descriptor list of an application opening file provides a large amount of information about the application itself, it is very helpful for system monitoring and troubleshooting to view this list using the lsof tool.
1. command format:
Lsof [Parameters] [files]
2. command functions:
It is used to view the files opened by your process, the processes opened by the file, and the ports opened by the process (TCP and UDP ). Restore/restore deleted files. Is a very convenient system monitoring tool, because lsof needs to access the core memory and various files, so it needs to be executed by the root user.
The files opened by lsof can be:
1. Common Files
2. Directory
3. network file system files
4. characters or device files
5. (function) shared library
6. pipe, named pipe
7. symbolic links
8. network files (such as NFS file, network socket, and unix domain socket)
9. there are other types of files, etc.
3. command parameters:
-A: list the processes that open the file.
-C <进程名> List files opened by a specified process
-G: list GID process details
-D <文件号> List the processes that occupy this file number
+ D <目录> List opened files in a directory
+ D <目录> Recursively list opened files in a directory
-N <目录> List NFS files
-I <条件> List qualified processes. (4, 6, protocol,: Port, @ ip)
-P <进程号> List files opened by a specified process number
-U: list UID process details
-H: Display help information
-V: Display version information
4. example:
Instance 1: no parameters
Command: lsof
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Lsof
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Init 1 root cwd DIR 8, 2 4096 2/
Init 1 root rtd DIR 8, 2 4096 2/
Init 1 root txt REG 43496 6121706/sbin/init
Init 1 root mem REG 143600 7823908/lib64/ld-2.5.so
Init 1 root mem REG 1722304 7823915/lib64/libc-2.5.so
Init 1 root mem REG 23360 7823919/lib64/libdl-2.5.so
Init 1 root mem REG 95464 7824116/lib64/libselinux. so.1
Init 1 root mem REG 247496 7823947/lib64/libsepol. so.1
Init 1 root 10u FIFO 1233/dev/initctl
Migration 2 root cwd DIR 8, 2 4096 2/
Migration 2 root rtd DIR 8, 2 4096 2/
Migration 2 root txt unknown/proc/2/exe
Ksoftirqd 3 root cwd DIR 8, 2 4096 2/
Ksoftirqd 3 root rtd DIR 8, 2 4096 2/
Ksoftirqd 3 root txt unknown/proc/3/exe
Migration 4 root cwd DIR 8, 2 4096 2/
Migration 4 root rtd DIR 8, 2 4096 2/
Migration 4 root txt unknown/proc/4/exe
Ksoftirqd 5 root cwd DIR 8, 2 4096 2/
Ksoftirqd 5 root rtd DIR 8, 2 4096 2/
Ksoftirqd 5 root txt unknown/proc/5/exe
Events/0 6 root cwd DIR 8, 2 4096 2/
Events/0 6 root rtd DIR 8, 2 4096 2/
Events/0 6 root txt unknown/proc/6/exe
Events/1 7 root cwd DIR 8, 2 4096 2/
Note:
The significance of lsof output column information is as follows:
COMMAND: Process name
PID: Process identifier
PPID: parent process identifier (-R parameter needs to be specified)
USER: Process Owner
PGID: group to which the process belongs
FD: file descriptor. the application identifies the file through the file descriptor. Such as cwd and txt
(1) cwd: Indicates current work dirctory, that is, the current working directory of the application, which is the directory started by the application, unless it changes the directory.
(2) txt: this type of file is the program code, such as the application binary file itself or the shared library. The/sbin/init Program shown in the above list
(3) lnn: library references (AIX );
(4) er: FD information error (see NAME column );
(5) jld: jail directory (FreeBSD );
(6) ltx: shared library text (code and data );
(7) mxx: hex memory-mapped type number xx.
(8) m86: DOS Merge mapped file;
(9) mem: memory-mapped file;
(10) mmap: memory-mapped device;
(11) pd: parent directory;
(12) rtd: root directory;
(13) tr: kernel trace file (OpenBSD );
(14) v86 VP/ix mapped file;
(15) 0: standard output
(16) 1: standard input
(17) 2: indicates a standard error.
Generally, standard output, standard error, and standard input are followed by the file status mode: r, w, u, etc.
(1) u: indicates that the file is opened and in read/write mode.
(2) r: indicates that the file is opened and in read-only mode.
(3) w: indicates that the file is opened and
(4) space: indicates that the state mode of the file is unknow and is not locked.
(5)-: indicates that the state mode of the file is unknow and the file is locked.
At the same time, after the file status mode, related locks are also followed.
(1) N: for a Solaris NFS lock of unknown type;
(2) r: for read lock on part of the file;
(3) R: for a read lock on the entire file;
(4) w: for a write lock on part of the file; (partial write lock of the file)
(5) W: for a write lock on the entire file; (the entire file write lock)
(6) u: for a read and write lock of any length;
(7) U: for a lock of unknown type;
(8) x: for an SCO OpenServer Xenix lock on part of the file;
(9) X: for an SCO OpenServer Xenix lock on the entire file;
(10) space: if there is no lock.
TYPE: file TYPE, such as DIR and REG. common file types
(1) DIR: indicates the Directory
(2) CHR: character type
(3) BLK: block device type
(4) UNIX: UNIX domain socket
(5) FIFO: FIFO queue
(6) IPv4: Internet Protocol (IP) socket
DEVICE: specify the disk name.
SIZE: file SIZE
NODE: index NODE (the identifier of the file on the disk)
NAME: the exact NAME of the opened file.
Instance 2: check who is using a file, that is, find the process related to a file.
Command: lsof/bin/bash
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Lsof/bin/bash
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 24159 root txt REG 801528 5368780/bin/bash
Bash 24909 root txt REG 801528 5368780/bin/bash
Bash 24941 root txt REG 801528 5368780/bin/bash
[Root @ localhost ~] #
Example 3: recursively view the file information of a directory
Command: lsof test/test3
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Cd/opt/soft/
[Root @ localhost soft] # lsof test/test3
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 24941 root cwd DIR 4096 2258872 test/test3
Vi 24976 root cwd DIR 4096 2258872 test/test3
[Root @ localhost soft] #
Note:
When + D is used, all subdirectories and files in the corresponding directory will be listed.
Example 4: without the + D option, traverse all the file information in a directory
Command: lsof | grep 'test/test3'
Output:
Copy codeThe code is as follows:
[Root @ localhost soft] # lsof | grep 'test/test3'
Bash 24941 root cwd DIR 4096 2258872/opt/soft/test/test3
Vi 24976 root cwd DIR 4096 2258872/opt/soft/test/test3
Vi 24976 root 4u REG 12288 2258882/opt/soft/test/test3/. log2013.log. swp
[Root @ localhost soft] #
Instance 5: lists the files opened by a user.
Command: lsof-u username
Description:-u option. u is short for user.
Instance 6: lists the files opened by a program process.
Command: lsof-c mysql
Note: The-c option will list all program files starting with the mysql process. In fact, you can also write lsof | grep mysql, however, the first method obviously requires a few characters less than the second method.
Instance 7: lists information about multiple open files in multiple processes.
Command: lsof-c mysql-c apache
Instance 8: lists information about a user and files opened by a process.
Command: lsof-u test-c mysql
Note: users and processes can be related or irrelevant.
Instance 9: lists information about open files except for those used outdoors.
Command: lsof-u ^ root
Note: ^ The process opened by the root user will not be displayed before the user name.
Instance 10: displays the file opened by a process number
Command: lsof-p 1
Instance 11: lists the file information corresponding to multiple process numbers.
Command: lsof-p 1, 2, 3
Instance 12: lists the files opened by other process numbers except for a specific process number.
Command: lsof-p ^ 1
Instance 13: list all network connections
Command: lsof-I
Instance 14: lists all tcp network connection information
Command: lsof-I tcp
Instance 15: list all udp network connection information
Command: lsof-I udp
Instance 16: list who is using a port
Command: lsof-I: 3306
Instance 17: list who is using a specific udp port
Command: lsof-I udp: 55
Or: a specific tcp port
Command: lsof-I tcp: 80
Instance 18: list all active network ports of a user
Command: lsof-a-u test-I
Instance 19: list all network file systems
Command: lsof-N
Instance 20: Domain name socket file
Command: lsof-u
Instance 21: file information opened by a user group
Command: lsof-g 5555
Instance 22: list the corresponding file information based on the file description
Command: lsof-d description (like 2)
Example: lsof-d txt
Example: lsof-d 1
Example: lsof-d 2
Note: 0 indicates the standard input, 1 indicates the standard output, and 2 indicates the standard error. it can be seen that the FD of files opened by most applications starts from 3.
Instance 23: list file information according to the file description range
Command: lsof-d 2-3
Instance 24: list the file information that contains the string "sshd" in the COMMAND column and the file type is txt.
Command: lsof-c sshd-a-d txt
Output:
Copy codeThe code is as follows:
[Root @ localhost soft] # lsof-c sshd-a-d txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Sshd 2756 root txt REG 409488 1027867/usr/sbin/sshd
Sshd 24155 root txt REG 409488 1027867/usr/sbin/sshd
Sshd 24905 root txt REG 409488 1027867/usr/sbin/sshd
Sshd 24937 root txt REG 409488 1027867/usr/sbin/sshd
[Root @ localhost soft] #
Instance 25: lists all IPV4 network files opened by processes with process 1234
Command: lsof-I 4-a-p 1234
Instance 26: list all file information related to ports 20, 21, and on the currently connected host peida. linux, and continuously execute the lsof command every 3 seconds.
Command: lsof-I @ peida. linux: 20, 21,-r 3