One Linux command per day (6/18): lsof command

Lsof (list open files) is a tool that lists open files for the current system. In a Linux environment, everything is in the form of files, with files that not only access regular data, but also access to network connectivity and hardware. So, Lsof is a powerful feature. The general root user can execute the lsof command, and the normal user will see the/usr/sbin/lsof command, but normal user execution displays "permission denied". It is therefore helpful to see this list through the Lsof tool for system monitoring and troubleshooting. So, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application in the background, regardless of the nature of the file, which provides a common interface for the interaction between the application and the underlying operating system

Lsof (list open files), that is, lists information about the files that are opened by the process, and the files that are opened can be:
1. Common Files

2. Catalogue

3. Files on the network file system

4. character or device file

5. (function) Shared library

6. Piping, Named pipes

7. Symbolic Links

8. Network files (for example: NFS file, network Socket,unix domain name socket)

9. There are other types of files, etc.
Command parameters:

-a lists the processes that exist for open files

-c< Process name > List files opened by the specified process

-G list GID process details

-d< File Number > list the process that occupies the file number

+d< directory > List files that are open under directory

+d< directory > recursively list files opened in directory

-n< directory > List files that use NFS

-i< conditions > lists the processes that meet the criteria. (4, 6, protocol,: Port, @ip)

-p< Process number > List files opened by the specified process number

-U list UID number process details

-H Display Help information

-V Display version information

Example: lsof-a: Indicates that two parameters must be met before displaying the result (-a:and meaning)

Lsof-c string: Displays all open files for the process containing the specified characters in the command column (-c:command meaning)
Note: the-c parameter can be followed by a regular expression, as in the following example
(1) Lsof-c/^ssh?/

Note:/regex/i, the latter I means case insensitive, and can also be B (regular regular expression), X (extended expression, default for this item)

Lsof-u Username: Displays the file that the user process belongs to (-u:user means)

Lsof-t/path/file: Shows the process ID number of the/path/file

Lsof-u: Show all UNIX domain socket files

Lsof-g GID: Shows the process of attribution to GID

Lsof-s: List the size of open files, if not size, leave blank (-s:size meaning)

lsof [-r | +r] + time (s): Indicates that output file information is re-displayed every second (for example: Lsof-r 3/bin/bash, which is to re-list the processes associated with the/bin/bash file every 3 seconds) (-R: Meaning of repeat)
(1)-R: This parameter will allow lsof to execute forever until the interrupt signal is received.
(2) +r: This parameter will allow lsof to execute until no files are displayed

Lsof +d/dir/: Show files opened by process in directory

Lsof +d/dir/: Same as above, but will search all directories under directory for a relatively long time

Lsof-d FD: The process that displays the specified file descriptor

Lsof-n: Do not convert IP to hostname, the default is not to add the-n parameter

Lsof-i: Used to show the condition of a process
(1) If-I is not followed by any parameters, all Internet and X. HP (UX) network files are displayed
(2) If-I is followed by some parameters, it indicates the relevant file
Lsof-i [4 | 6] [protocol] [@hostname |hostaddr][:service|port]
The parsing is as follows:
---IPV4 or IPV6
Protocol---TCP or UDP
Hostname-Internet Host name
HOSTADDR-IPV4 Address
Service-to-/etc/service in service name (can be more than one)
Port-and port number (can be more than one)

Lsof common usage: is to find the name and number of files opened by the application. Can be used to find out where a particular application logs the log data, or to track an issue. For example, Linux restricts the number of files that a process can open. This is usually a large number, so there is no problem, and when needed, the application can request a larger value (up to a certain limit). If you suspect that the application is running out of file descriptors, you can use Lsof to count the number of open files for verification

1) List all open files Lsof
Note: If you do not add any parameters, it will open all open files, it is recommended to add a parameter to the specific location, each line shows an open file, if not specified by default will show all the files opened by all processes.

The meaning of the lsof output column information is as follows:
COMMAND: Name of the process
PID: Process Identifier
PPID: Parent Process Identifier (the-R parameter needs to be specified)
USER: Process Owner
Pgid: The group to which the process belongs
FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc.
(1) CWD: Represents the current working dirctory, which is the directory in which the application starts, unless it makes changes to the directory itself
(2) TXT: This type of file is a program code, such as the application binary file itself or a shared library, as shown in the list above/sbin/init program
(3) Lnn:library references (AIX);
(4) ER:FD information error (see NAME column);
(5) Jld:jail directory (FreeBSD);
(6) Ltx:shared Library text (code and data);
(7) Mxx:hex memory-mapped type number XX.
(8) M86:dos Merge mapped file;
(9) mem:memory-mapped file;
(ten) mmap:memory-mapped device;
(one) Pd:parent directory;
(rtd:root) directory;
(Tr:kernel) trace file (OpenBSD);
(+) v86 vp/ix mapped file;
(15) 0: Indicates standard output
(16) 1: Indicates standard input
(17) 2: standard error indication
Generally after standard output, standard error, standard input followed by file state mode: R, W, u, etc.
(1) U: Indicates that the file is open and in read/write mode
(2) R: Indicates that the file is open and is in read-only mode
(3) W: Indicates that the file is open and is in
(4) Space: Indicates that the file's status mode is Unknow and is not locked
(5)-: Indicates that the file's state mode is unknow and is locked
At the same time, after the file state mode, followed by the relevant lock
(1) n:for a Solaris NFS lock of unknown type;
(2) R:for read lock on part of the file;
(3) R:for A read lock on the entire file;
(4) W:for a write lock on part of the file;
(5) W:for A write lock on the entire file; (write lock for entire file)
(6) U:for a read and write lock of any length;
(7) U:for a lock of unknown type;
(8) x:for an SCO openserver Xenix lock in part of the file;
(9) x:for an SCO openserver Xenix lock on the entire file;
(space:if) There is no lock.
Type: File types, such as Dir, Reg, etc., common file types
(1) DIR: Indicates directory
(2) CHR: denotes character type
(3) BLK: Block device type
(4) Unix:unix domain sockets
(5) FIFO: Advanced First Out (FIFO) queue
(6) IPv4: Internet Protocol (IP) sockets
DEVICE: Specifies the name of the disk
Size: Sizes of files
Node: Index node (the identity of the file on disk)
Name: Open the exact name of the file

2) See who is using a file, which means finding a file-related process

[Email protected] ~]# Lsof/bin/bash
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 2298 root txt REG 253,0 729292 1474563/bin/bash
Bash 2409 ruanxi txt REG 253,0 729292 1474563/bin/bash

3) Recursively view file information for a directory

Lsof +d/filepath/filepath2/

Note: Using +d, all subdirectories and files in the corresponding directory will be listed

4) A way to traverse the view of all file information for a directory than using the +D option

lsof | grep '/filepath/filepath2/'

5) List the file information opened by a user

Lsof-u username

Note:-u option, U is actually the user's abbreviation

6) List the file information opened by a program process

Lsof-c MySQL

Note: the-C option will list all the files that start with the MySQL process, but you can also write Lsof | grep MySQL, but the first method is obviously a few characters less than the second method.

7) List multiple open file information for more than one process

Lsof-c mysql-c Apache

8) Lists the file information that is opened by a user and by a process (note: The user is related to the process and may not be relevant)

Lsof-u test-c MySQL

9) List of open file information except for one user

Lsof-u ^root

Note: ^ This symbol before the user name, will be the root user opens the process does not let the display

10) Display the open file by a process number

Lsof-p 1

11) List the file information corresponding to the number of process numbers

Lsof-p

12) Lists file information opened by other process numbers in addition to a process number

Lsof-p ^1

13) List all network connections

Lsof-i

14) List All TCP network connection information

Lsof-i TCP

15) List all UDP network connection information

Lsof-i UDP

16) List who is using a port

Lsof-i: 3306

17) List who is using a specific UDP port

Lsof-i udp:55

A specific TCP port

Lsof-i tcp:80

18) List all active network ports for a user

Lsof-a-U test-i

19) List all network file systems

Lsof-n

20) domain name socket file

Lsof-u

21) file information opened by a user group

Lsof-g 5555

22) List the corresponding file information according to the file description

Lsof-d description (like 2)
Example: lsof-d txt
Example: lsof-d 1
Example: lsof-d 2
Note: 0 indicates standard input, 1 for standard output, and 2 for standard error, so you know: so most applications open files with FD starting from 3

23) List file information according to the scope of the file description

Lsof-d 2-3

24) Lists file information in the command column that contains the string "Perl" and the file description is of type txt

[Email protected]:~$ lsof-c perl-a-D txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Perl 5249 Sayuri txt unknown/proc/5249/exe (readlink:permission denied)
Perl 5376 Sayuri txt unknown/proc/5376/exe (readlink:permission denied)
Perl 5463 Sayuri txt unknown/proc/5463/exe (readlink:permission denied)
Perl 5567 Sayuri txt unknown/proc/5567/exe (readlink:permission denied)

25) List all IPV4 network files that are opened by processes with process number 1234

Lsof-i 4-a-P 1234

25) List The current connection host Ubuntu.unix-center port is: 20,21,22,25,53,80 related to all the file information, and every 3 seconds continuously execute lsof instructions

Lsof-i @ubuntu. Unix-center:20,21,22,25,53,80-r 3
For example, because FTP and SSH services are turned on on the host firewall, the Lsof command is available to view all the file information lists that are connected to the FIREWALLFTP and SSH service and open.

Iv. lsof related to file restoration

Instance one: Find out who is using the file system when uninstalling the file system, the operation will typically fail if there are any open files in the file system. Then through lsof you can find out which processes are using the file system that is currently being uninstalled, as follows:
# lsof/gtes11/
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Bash 4208 root cwd DIR 3,1 4096 2/gtes11/
Vim 4230 root cwd DIR 3,1 4096 2/gtes11/
In this example, user root is doing some work in its/GTES11 directory.
(1) A bash is the instance that is running, and its current directory is/GTES11
(2) The other shows that Vim is editing the file under/GTES11
To successfully uninstall/GTES11, you should abort these processes after notifying the user to ensure that the situation is correct. This example illustrates the importance of the current working directory of the application because it retains the file resources and prevents the file system from being unloaded. This is why most daemons (background processes) change their directories to the root directory, or service-specific directories (as in the SendMail example)
/var/spool/mqueue) to prevent the daemon from uninstalling unrelated file systems.

Example two: Recovering deleted files when a Linux computer is compromised, it is common for log files to be deleted to conceal the attacker's traces. Administrative errors can also cause accidental deletion of important files, such as accidentally deleting the active transaction log of the database while cleaning up the old log, and sometimes recovering the files through lsof.

When a process opens a file, as long as the process remains open, even if it is deleted, it still exists on disk, which means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor that was provided to it when the file was opened. In addition to this process, this file is not visible because its corresponding directory index node has been deleted. In the/proc directory, which contains the various files that reflect the kernel and the process tree, the/proc directory is mounted in an area that is mapped in memory, so these files and directories do not exist on the disk, so when we read and write these files, we actually get the relevant information from memory. Most of the information related to lsof is stored in a directory named after the PID of the process, that is,/proc/1234 contains information about the process with PID 1234. There are various files in each process directory that allow the application to simply understand the process's memory space, file description list characters, symbolic links to files on disk, and other system information. The LSOF program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display information such as the file descriptor of the process and the associated filename. That is, we can find information about the file by accessing the file descriptor of the process. When a file in the system is accidentally deleted, as long as there is a process in the system that is accessing the file, then we can recover the contents of the file from the/proc directory by lsof.

If the/var/log/messages file is deleted due to misoperation, then the method to restore the/var/log/messages file is as follows: First use lsof to see if there is currently a process open/var/logmessages file, as follows:
# lsof |grep/var/log/messages
SYSLOGD 1283 root 2w REG 3,3 5381017 1773647/var/log/messages (Deleted)
From the above information you can see that the PID 1283 (syslogd) Open file has a file descriptor of 2. You can also see that/var/log/messages has been flagged for deletion. So we can view the corresponding information in/PROC/1283/FD/2 (each file descriptor for the process corresponding to a digitally named file under FD), as follows: # head-n 10/PROC/1283/FD/2
4 13:50:15 holmes86 Syslogd:restart.
4 13:50:15 holmes86 kernel:klogd 1.4.1, log Source =/proc/kmsg started.
4 13:50:15 holmes86 kernel:bios-e820:0008000-000 (Reserved)
As you can see from the information above, you can get the data you want to recover by looking at/PROC/8663/FD/15. If you can view the data through a file descriptor, you can use I/O redirection to copy it to a file, such as: CAT/PROC/1283/FD/2 >/var/log/messages
For many applications, especially log files and databases, this method of recovering deleted files is very

One Linux command per day (6/18): lsof command